amadey | 2929a545b949a6c9656a4031043fb4fd0ef9521e18a10ebb1164159961bef77b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50.exe
Size

1.4MB
MD5

e538a13d55d116777c2766732b2511c2
SHA1

45feafdb23b355d9e1530b16e7c1bc819997ff3f
SHA256

3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50
SHA512

884b0669685dbc5584497f79bea4e7e620f67224292992908a589cc047b2c96858f48f9f5ce036336f49c59bb7bb156f2d9d6088bb0550a5e5168f5451fb3730
SSDEEP

24576:wyO81yRBuAsoFsmFYkQkNexHOLIwsZ8IZssi2ZrjbDMLyCDPk:3WRBPxbFYqeRuIwsZjZDZr3IDD

Score

10^/10

amadey redline smokeloader grome backdoor evasion infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4412-56-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5cE6AQ6.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	5cE6AQ6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 13 IoCs

Processes:

pm3tI77.exeXx5Al47.exeTc2Tv02.exevX3Ub30.exe1IW46gn6.exe2As3808.exe3Ae31eW.exe4aZ388yB.exe5cE6AQ6.exeexplothe.exe6Ms3RP9.exeexplothe.exeexplothe.exe

pid	process
4944	pm3tI77.exe
3988	Xx5Al47.exe
4848	Tc2Tv02.exe
744	vX3Ub30.exe
3660	1IW46gn6.exe
3656	2As3808.exe
4588	3Ae31eW.exe
4364	4aZ388yB.exe
2288	5cE6AQ6.exe
5104	explothe.exe
440	6Ms3RP9.exe
4776	explothe.exe
1920	explothe.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50.exepm3tI77.exeXx5Al47.exeTc2Tv02.exevX3Ub30.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pm3tI77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Xx5Al47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Tc2Tv02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	vX3Ub30.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1IW46gn6.exe2As3808.exe4aZ388yB.exe

description	pid	process	target process
PID 3660 set thread context of 3968	3660	1IW46gn6.exe	AppLaunch.exe
PID 3656 set thread context of 432	3656	2As3808.exe	AppLaunch.exe
PID 4364 set thread context of 4412	4364	4aZ388yB.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3104 432 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
3104	432	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3Ae31eW.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ae31eW.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ae31eW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ae31eW.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1016 schtasks.exe

pid	process
1016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3Ae31eW.exeAppLaunch.exe

pid	process
4588	3Ae31eW.exe
4588	3Ae31eW.exe
3968	AppLaunch.exe
3968	AppLaunch.exe
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3312
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3Ae31eW.exe

pid process

4588 3Ae31eW.exe

pid	process
3312

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3968	AppLaunch.exe
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3312
3312

pid	process
3312
3312

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50.exepm3tI77.exeXx5Al47.exeTc2Tv02.exevX3Ub30.exe1IW46gn6.exe2As3808.exe4aZ388yB.exe5cE6AQ6.exeexplothe.exe

description	pid	process	target process
PID 5024 wrote to memory of 4944	5024	3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50.exe	pm3tI77.exe
PID 5024 wrote to memory of 4944	5024	3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50.exe	pm3tI77.exe
PID 5024 wrote to memory of 4944	5024	3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50.exe	pm3tI77.exe
PID 4944 wrote to memory of 3988	4944	pm3tI77.exe	Xx5Al47.exe
PID 4944 wrote to memory of 3988	4944	pm3tI77.exe	Xx5Al47.exe
PID 4944 wrote to memory of 3988	4944	pm3tI77.exe	Xx5Al47.exe
PID 3988 wrote to memory of 4848	3988	Xx5Al47.exe	Tc2Tv02.exe
PID 3988 wrote to memory of 4848	3988	Xx5Al47.exe	Tc2Tv02.exe
PID 3988 wrote to memory of 4848	3988	Xx5Al47.exe	Tc2Tv02.exe
PID 4848 wrote to memory of 744	4848	Tc2Tv02.exe	vX3Ub30.exe
PID 4848 wrote to memory of 744	4848	Tc2Tv02.exe	vX3Ub30.exe
PID 4848 wrote to memory of 744	4848	Tc2Tv02.exe	vX3Ub30.exe
PID 744 wrote to memory of 3660	744	vX3Ub30.exe	1IW46gn6.exe
PID 744 wrote to memory of 3660	744	vX3Ub30.exe	1IW46gn6.exe
PID 744 wrote to memory of 3660	744	vX3Ub30.exe	1IW46gn6.exe
PID 3660 wrote to memory of 3968	3660	1IW46gn6.exe	AppLaunch.exe
PID 3660 wrote to memory of 3968	3660	1IW46gn6.exe	AppLaunch.exe
PID 3660 wrote to memory of 3968	3660	1IW46gn6.exe	AppLaunch.exe
PID 3660 wrote to memory of 3968	3660	1IW46gn6.exe	AppLaunch.exe
PID 3660 wrote to memory of 3968	3660	1IW46gn6.exe	AppLaunch.exe
PID 3660 wrote to memory of 3968	3660	1IW46gn6.exe	AppLaunch.exe
PID 3660 wrote to memory of 3968	3660	1IW46gn6.exe	AppLaunch.exe
PID 3660 wrote to memory of 3968	3660	1IW46gn6.exe	AppLaunch.exe
PID 744 wrote to memory of 3656	744	vX3Ub30.exe	2As3808.exe
PID 744 wrote to memory of 3656	744	vX3Ub30.exe	2As3808.exe
PID 744 wrote to memory of 3656	744	vX3Ub30.exe	2As3808.exe
PID 3656 wrote to memory of 432	3656	2As3808.exe	AppLaunch.exe
PID 3656 wrote to memory of 432	3656	2As3808.exe	AppLaunch.exe
PID 3656 wrote to memory of 432	3656	2As3808.exe	AppLaunch.exe
PID 3656 wrote to memory of 432	3656	2As3808.exe	AppLaunch.exe
PID 3656 wrote to memory of 432	3656	2As3808.exe	AppLaunch.exe
PID 3656 wrote to memory of 432	3656	2As3808.exe	AppLaunch.exe
PID 3656 wrote to memory of 432	3656	2As3808.exe	AppLaunch.exe
PID 3656 wrote to memory of 432	3656	2As3808.exe	AppLaunch.exe
PID 3656 wrote to memory of 432	3656	2As3808.exe	AppLaunch.exe
PID 3656 wrote to memory of 432	3656	2As3808.exe	AppLaunch.exe
PID 4848 wrote to memory of 4588	4848	Tc2Tv02.exe	3Ae31eW.exe
PID 4848 wrote to memory of 4588	4848	Tc2Tv02.exe	3Ae31eW.exe
PID 4848 wrote to memory of 4588	4848	Tc2Tv02.exe	3Ae31eW.exe
PID 3988 wrote to memory of 4364	3988	Xx5Al47.exe	4aZ388yB.exe
PID 3988 wrote to memory of 4364	3988	Xx5Al47.exe	4aZ388yB.exe
PID 3988 wrote to memory of 4364	3988	Xx5Al47.exe	4aZ388yB.exe
PID 4364 wrote to memory of 4412	4364	4aZ388yB.exe	AppLaunch.exe
PID 4364 wrote to memory of 4412	4364	4aZ388yB.exe	AppLaunch.exe
PID 4364 wrote to memory of 4412	4364	4aZ388yB.exe	AppLaunch.exe
PID 4364 wrote to memory of 4412	4364	4aZ388yB.exe	AppLaunch.exe
PID 4364 wrote to memory of 4412	4364	4aZ388yB.exe	AppLaunch.exe
PID 4364 wrote to memory of 4412	4364	4aZ388yB.exe	AppLaunch.exe
PID 4364 wrote to memory of 4412	4364	4aZ388yB.exe	AppLaunch.exe
PID 4364 wrote to memory of 4412	4364	4aZ388yB.exe	AppLaunch.exe
PID 4944 wrote to memory of 2288	4944	pm3tI77.exe	5cE6AQ6.exe
PID 4944 wrote to memory of 2288	4944	pm3tI77.exe	5cE6AQ6.exe
PID 4944 wrote to memory of 2288	4944	pm3tI77.exe	5cE6AQ6.exe
PID 2288 wrote to memory of 5104	2288	5cE6AQ6.exe	explothe.exe
PID 2288 wrote to memory of 5104	2288	5cE6AQ6.exe	explothe.exe
PID 2288 wrote to memory of 5104	2288	5cE6AQ6.exe	explothe.exe
PID 5024 wrote to memory of 440	5024	3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50.exe	6Ms3RP9.exe
PID 5024 wrote to memory of 440	5024	3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50.exe	6Ms3RP9.exe
PID 5024 wrote to memory of 440	5024	3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50.exe	6Ms3RP9.exe
PID 5104 wrote to memory of 1016	5104	explothe.exe	schtasks.exe
PID 5104 wrote to memory of 1016	5104	explothe.exe	schtasks.exe
PID 5104 wrote to memory of 1016	5104	explothe.exe	schtasks.exe
PID 5104 wrote to memory of 4296	5104	explothe.exe	cmd.exe
PID 5104 wrote to memory of 4296	5104	explothe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50.exe
"C:\Users\Admin\AppData\Local\Temp\3982986ebc039ab0e704c819d657c2d1014109b45aa86f058c81ff04771dcb50.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5024

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pm3tI77.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pm3tI77.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xx5Al47.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xx5Al47.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tc2Tv02.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tc2Tv02.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX3Ub30.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX3Ub30.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IW46gn6.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IW46gn6.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2As3808.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2As3808.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 540
8⤵
- Program crash
PID:3104

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Ae31eW.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Ae31eW.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4588

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4aZ388yB.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4aZ388yB.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5cE6AQ6.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5cE6AQ6.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
5⤵
- Creates scheduled task(s)
PID:1016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
5⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2308

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
6⤵
PID:4600

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
6⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4072

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
6⤵
PID:4404

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
6⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ms3RP9.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ms3RP9.exe
2⤵
- Executes dropped EXE
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 432 -ip 432
1⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ms3RP9.exe
Filesize
184KB

MD5
7afca88f36e14eb409a31ae80b23c4db

SHA1
bfab6932a3e75df57bf5d82d8d3eabc684e77f1c

SHA256
64902dfb9f2153af88f8338e28f062b9e4bf00cabf1be74ad61fa55acc7b18a5

SHA512
17ae0992a306d6ca6bc1a1aae38a29d5bc58a64f5efb3971f7a247768a00dacf2864fe522694bf0a054965673f3f52016f02c59bc53183579251aff2ae5e40b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ms3RP9.exe
Filesize
184KB

MD5
7afca88f36e14eb409a31ae80b23c4db

SHA1
bfab6932a3e75df57bf5d82d8d3eabc684e77f1c

SHA256
64902dfb9f2153af88f8338e28f062b9e4bf00cabf1be74ad61fa55acc7b18a5

SHA512
17ae0992a306d6ca6bc1a1aae38a29d5bc58a64f5efb3971f7a247768a00dacf2864fe522694bf0a054965673f3f52016f02c59bc53183579251aff2ae5e40b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pm3tI77.exe
Filesize
1.2MB

MD5
e1bbc50c7c530830d3aea1f945b0841a

SHA1
737b61ca28fd784df98e41f4e850be2cebf1118b

SHA256
29999d4f215e8f98e45450d1efbf302e4f4952d94d5d870a80ebe9ec6c1f05c5

SHA512
61387931b8f3881f2bd328154ce8192605a7e12d78db1d860b6b3aa93594579c90c45d9a1173f02171053e2eabeceadc3e531c00bccc8237bc0822501e21ec9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pm3tI77.exe
Filesize
1.2MB

MD5
e1bbc50c7c530830d3aea1f945b0841a

SHA1
737b61ca28fd784df98e41f4e850be2cebf1118b

SHA256
29999d4f215e8f98e45450d1efbf302e4f4952d94d5d870a80ebe9ec6c1f05c5

SHA512
61387931b8f3881f2bd328154ce8192605a7e12d78db1d860b6b3aa93594579c90c45d9a1173f02171053e2eabeceadc3e531c00bccc8237bc0822501e21ec9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5cE6AQ6.exe
Filesize
221KB

MD5
8c5b20b7b925b5010ff099a8f14be977

SHA1
950db94c7c9c68707de1f902c69ff96d8bbc1921

SHA256
95f2057627d55036471d52b479e64f494cf99bc9168e91ac76e1781a0867f151

SHA512
67d48b78399a185f696175fce0d86f63b72fd05e552bd6a7e124d73f39dfee46008ee3a5d09ad6408dc7605b56258d4b861020f845437e20f0a40f3ed20eb6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5cE6AQ6.exe
Filesize
221KB

MD5
8c5b20b7b925b5010ff099a8f14be977

SHA1
950db94c7c9c68707de1f902c69ff96d8bbc1921

SHA256
95f2057627d55036471d52b479e64f494cf99bc9168e91ac76e1781a0867f151

SHA512
67d48b78399a185f696175fce0d86f63b72fd05e552bd6a7e124d73f39dfee46008ee3a5d09ad6408dc7605b56258d4b861020f845437e20f0a40f3ed20eb6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xx5Al47.exe
Filesize
1.0MB

MD5
40e24ac74cd70dbb7ea62835416403bf

SHA1
adb48d57c7151e574cd1601715f783a9e1d32f65

SHA256
7668aacf343f0dc016f3283f4a8092e2edd78108e7004f39c628dd1c4555003a

SHA512
f0b1efefc7608f0455f1994eeb4f2b1d859137f19bd2d2a37d38116d366f20083adb56082aacad1897c05c690bce40a27366e3067e93013c5e4995e2e7af4a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xx5Al47.exe
Filesize
1.0MB

MD5
40e24ac74cd70dbb7ea62835416403bf

SHA1
adb48d57c7151e574cd1601715f783a9e1d32f65

SHA256
7668aacf343f0dc016f3283f4a8092e2edd78108e7004f39c628dd1c4555003a

SHA512
f0b1efefc7608f0455f1994eeb4f2b1d859137f19bd2d2a37d38116d366f20083adb56082aacad1897c05c690bce40a27366e3067e93013c5e4995e2e7af4a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4aZ388yB.exe
Filesize
1.1MB

MD5
f389a95eaf41b58b52acef421724c412

SHA1
30504c4a4377337f5ed6f50cf9a93d5e7758984a

SHA256
039f721f6913e643a1598c04a466272618c4f85f5279b23eb894b74b6f007129

SHA512
fa17e6a962e77fffd83aa5e3166eedb430378548db55481cb7ebaa6ba4611d379db163aa2f5fcb7535d88c6c92692d283b9dfcd1c8b6fbf1a9b39d0341a9e95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4aZ388yB.exe
Filesize
1.1MB

MD5
f389a95eaf41b58b52acef421724c412

SHA1
30504c4a4377337f5ed6f50cf9a93d5e7758984a

SHA256
039f721f6913e643a1598c04a466272618c4f85f5279b23eb894b74b6f007129

SHA512
fa17e6a962e77fffd83aa5e3166eedb430378548db55481cb7ebaa6ba4611d379db163aa2f5fcb7535d88c6c92692d283b9dfcd1c8b6fbf1a9b39d0341a9e95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tc2Tv02.exe
Filesize
649KB

MD5
755030318715eaf608ebe9bf23e56a3b

SHA1
2143c88139950faca4d55ff2da805489ccca691c

SHA256
f3135cf753de6f98ebc018879b019c562a867f43f4768005f11ad36f3de87ae5

SHA512
c627feb24d3aeaff56f735b4c21de3f6e90e34a97c50983a14698416dd3a29e20eed3763a8e6fba4b08ac5139b55f9d079e35ab5d910965250dbc864e7ca7a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tc2Tv02.exe
Filesize
649KB

MD5
755030318715eaf608ebe9bf23e56a3b

SHA1
2143c88139950faca4d55ff2da805489ccca691c

SHA256
f3135cf753de6f98ebc018879b019c562a867f43f4768005f11ad36f3de87ae5

SHA512
c627feb24d3aeaff56f735b4c21de3f6e90e34a97c50983a14698416dd3a29e20eed3763a8e6fba4b08ac5139b55f9d079e35ab5d910965250dbc864e7ca7a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Ae31eW.exe
Filesize
31KB

MD5
d435ed09749d875eac51ba2ead9579b4

SHA1
7bd7338a3c95058ed84a9a90a81db1a2d0c8df92

SHA256
94056e0014926fe2a871c2ce125f4614d7fb6a151159a32ce62dc82740ff32ca

SHA512
c1728a320dc3d6a4330ff19b24d882afb32fe42ae3c48f88df821dd927ef2ffe0ab40dd2fdb527d43c17c8bd94a8ba3c183acff9db2f5b17c7a4d1de2c619dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Ae31eW.exe
Filesize
31KB

MD5
d435ed09749d875eac51ba2ead9579b4

SHA1
7bd7338a3c95058ed84a9a90a81db1a2d0c8df92

SHA256
94056e0014926fe2a871c2ce125f4614d7fb6a151159a32ce62dc82740ff32ca

SHA512
c1728a320dc3d6a4330ff19b24d882afb32fe42ae3c48f88df821dd927ef2ffe0ab40dd2fdb527d43c17c8bd94a8ba3c183acff9db2f5b17c7a4d1de2c619dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX3Ub30.exe
Filesize
525KB

MD5
af6faebee4cf570547b86a7b8374bf8d

SHA1
05cd2ffdb8e0010015d877e1e8bae021a21ff01b

SHA256
d052ae19979c38fb89ba7207eacd866b09e47874990a95f71740e0376b48ee84

SHA512
275bf0a66816ade0ccbbab084ca606adbf478bc844c3159aa59706487e8155fc72ce8a06aaf662f58516566b5c5d8ea4be4b4311e274e1167829fc26b4dedb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX3Ub30.exe
Filesize
525KB

MD5
af6faebee4cf570547b86a7b8374bf8d

SHA1
05cd2ffdb8e0010015d877e1e8bae021a21ff01b

SHA256
d052ae19979c38fb89ba7207eacd866b09e47874990a95f71740e0376b48ee84

SHA512
275bf0a66816ade0ccbbab084ca606adbf478bc844c3159aa59706487e8155fc72ce8a06aaf662f58516566b5c5d8ea4be4b4311e274e1167829fc26b4dedb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IW46gn6.exe
Filesize
869KB

MD5
5849aa2028ae2370b3491595d3a76333

SHA1
07a65e90b4896818b3052aeba9ac321651e4de90

SHA256
fe539814c19c515cc961d0a61bd871aa8204abaf41bdb419bfd9019b49e71fe2

SHA512
24856b1cf188cf230b4cadf5828b012073099957bf19f618f04da5ac697447f1d3e3c7839c5671a371c2a528924aaa72cb1e6315519c9fc92cfc049fafe30e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IW46gn6.exe
Filesize
869KB

MD5
5849aa2028ae2370b3491595d3a76333

SHA1
07a65e90b4896818b3052aeba9ac321651e4de90

SHA256
fe539814c19c515cc961d0a61bd871aa8204abaf41bdb419bfd9019b49e71fe2

SHA512
24856b1cf188cf230b4cadf5828b012073099957bf19f618f04da5ac697447f1d3e3c7839c5671a371c2a528924aaa72cb1e6315519c9fc92cfc049fafe30e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2As3808.exe
Filesize
1.0MB

MD5
029a09bc8b134448dcc8396d88113f31

SHA1
c88da99b3d250634f99d946b9b4916b69a7a11cd

SHA256
0109476ed419527083695cb964fd1fbff599d526b0a469a84734da616ce7f964

SHA512
5ecffea521cb1bbcdfc0eebd2cb12b7bc4352c31fcc1da23d4865159fa41aac1e3ce38bbbd22322c571257cf3ef1934dfe826385fa2c3d98bc24082af8eab340

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2As3808.exe
Filesize
1.0MB

MD5
029a09bc8b134448dcc8396d88113f31

SHA1
c88da99b3d250634f99d946b9b4916b69a7a11cd

SHA256
0109476ed419527083695cb964fd1fbff599d526b0a469a84734da616ce7f964

SHA512
5ecffea521cb1bbcdfc0eebd2cb12b7bc4352c31fcc1da23d4865159fa41aac1e3ce38bbbd22322c571257cf3ef1934dfe826385fa2c3d98bc24082af8eab340

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
8c5b20b7b925b5010ff099a8f14be977

SHA1
950db94c7c9c68707de1f902c69ff96d8bbc1921

SHA256
95f2057627d55036471d52b479e64f494cf99bc9168e91ac76e1781a0867f151

SHA512
67d48b78399a185f696175fce0d86f63b72fd05e552bd6a7e124d73f39dfee46008ee3a5d09ad6408dc7605b56258d4b861020f845437e20f0a40f3ed20eb6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
8c5b20b7b925b5010ff099a8f14be977

SHA1
950db94c7c9c68707de1f902c69ff96d8bbc1921

SHA256
95f2057627d55036471d52b479e64f494cf99bc9168e91ac76e1781a0867f151

SHA512
67d48b78399a185f696175fce0d86f63b72fd05e552bd6a7e124d73f39dfee46008ee3a5d09ad6408dc7605b56258d4b861020f845437e20f0a40f3ed20eb6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
8c5b20b7b925b5010ff099a8f14be977

SHA1
950db94c7c9c68707de1f902c69ff96d8bbc1921

SHA256
95f2057627d55036471d52b479e64f494cf99bc9168e91ac76e1781a0867f151

SHA512
67d48b78399a185f696175fce0d86f63b72fd05e552bd6a7e124d73f39dfee46008ee3a5d09ad6408dc7605b56258d4b861020f845437e20f0a40f3ed20eb6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
8c5b20b7b925b5010ff099a8f14be977

SHA1
950db94c7c9c68707de1f902c69ff96d8bbc1921

SHA256
95f2057627d55036471d52b479e64f494cf99bc9168e91ac76e1781a0867f151

SHA512
67d48b78399a185f696175fce0d86f63b72fd05e552bd6a7e124d73f39dfee46008ee3a5d09ad6408dc7605b56258d4b861020f845437e20f0a40f3ed20eb6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
8c5b20b7b925b5010ff099a8f14be977

SHA1
950db94c7c9c68707de1f902c69ff96d8bbc1921

SHA256
95f2057627d55036471d52b479e64f494cf99bc9168e91ac76e1781a0867f151

SHA512
67d48b78399a185f696175fce0d86f63b72fd05e552bd6a7e124d73f39dfee46008ee3a5d09ad6408dc7605b56258d4b861020f845437e20f0a40f3ed20eb6e3

Download Submit
memory/432-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-49-0x00000000031D0000-0x00000000031E6000-memory.dmp

Filesize
88KB

Download
memory/3968-80-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/3968-39-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/3968-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3968-84-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4412-77-0x0000000008AE0000-0x00000000090F8000-memory.dmp

Filesize
6.1MB

Download
memory/4412-63-0x0000000007F10000-0x00000000084B4000-memory.dmp

Filesize
5.6MB

Download
memory/4412-69-0x00000000079D0000-0x00000000079E0000-memory.dmp

Filesize
64KB

Download
memory/4412-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4412-64-0x0000000007A00000-0x0000000007A92000-memory.dmp

Filesize
584KB

Download
memory/4412-78-0x0000000007DA0000-0x0000000007EAA000-memory.dmp

Filesize
1.0MB

Download
memory/4412-79-0x0000000007CD0000-0x0000000007CE2000-memory.dmp

Filesize
72KB

Download
memory/4412-73-0x0000000007B00000-0x0000000007B0A000-memory.dmp

Filesize
40KB

Download
memory/4412-81-0x0000000007D30000-0x0000000007D6C000-memory.dmp

Filesize
240KB

Download
memory/4412-82-0x0000000007EB0000-0x0000000007EFC000-memory.dmp

Filesize
304KB

Download
memory/4412-60-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4412-85-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4412-86-0x00000000079D0000-0x00000000079E0000-memory.dmp

Filesize
64KB

Download
memory/4588-51-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4588-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download