amadey | 9f65c08757372cf2555e62bb0affde83773bf9819ed84a352e513e492380d7eb

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.efdd044203d81be9cedcc631506e4660.exe
Size

1.4MB
MD5

efdd044203d81be9cedcc631506e4660
SHA1

d41c34a614f90307eb49017a615574af2d807337
SHA256

9f65c08757372cf2555e62bb0affde83773bf9819ed84a352e513e492380d7eb
SHA512

d4ee0fd8ed6a73d0de9986661f4c5b626a04bea59057d7e971af03bb55de17e22b67ccaeb838fe941bcc69ac7dc2a5adacfe112845735d44b7b2c4cb06d99895
SSDEEP

24576:GySsbebHBWrk0B3kJKFJ2VKraGyJdgUON1psLp6dsxALTo:VtezEbpkAWVKxKeN1pWMUALT

Score

10^/10

amadey redline smokeloader grome backdoor evasion infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/920-57-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Kg1JS3.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	5Kg1JS3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 14 IoCs

Processes:

oJ7sq55.exeXc3gA90.exeBl9CK11.exeRW6kx44.exe1gf81Sb5.exe2vd7962.exe3Wb51ya.exe4ur142Sq.exe5Kg1JS3.exeexplothe.exe6XP2tB8.exeexplothe.exeexplothe.exeexplothe.exe

pid	process
4304	oJ7sq55.exe
4976	Xc3gA90.exe
2300	Bl9CK11.exe
3460	RW6kx44.exe
2332	1gf81Sb5.exe
2984	2vd7962.exe
2368	3Wb51ya.exe
2772	4ur142Sq.exe
2496	5Kg1JS3.exe
3892	explothe.exe
4136	6XP2tB8.exe
2100	explothe.exe
4576	explothe.exe
4424	explothe.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.efdd044203d81be9cedcc631506e4660.exeoJ7sq55.exeXc3gA90.exeBl9CK11.exeRW6kx44.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.efdd044203d81be9cedcc631506e4660.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	oJ7sq55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Xc3gA90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Bl9CK11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	RW6kx44.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1gf81Sb5.exe2vd7962.exe4ur142Sq.exe

description	pid	process	target process
PID 2332 set thread context of 3188	2332	1gf81Sb5.exe	AppLaunch.exe
PID 2984 set thread context of 5036	2984	2vd7962.exe	AppLaunch.exe
PID 2772 set thread context of 920	2772	4ur142Sq.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3988 5036 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
3988	5036	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3Wb51ya.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Wb51ya.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Wb51ya.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Wb51ya.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4560 schtasks.exe

pid	process
4560	schtasks.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3Wb51ya.exeAppLaunch.exe

pid	process
2368	3Wb51ya.exe
2368	3Wb51ya.exe
3188	AppLaunch.exe
3188	AppLaunch.exe
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3296
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3Wb51ya.exe

pid process

2368 3Wb51ya.exe

pid	process
3296

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3188	AppLaunch.exe
Token: SeShutdownPrivilege	3296
Token: SeCreatePagefilePrivilege	3296
Token: SeShutdownPrivilege	3296
Token: SeCreatePagefilePrivilege	3296
Token: SeShutdownPrivilege	3296
Token: SeCreatePagefilePrivilege	3296
Token: SeShutdownPrivilege	3296
Token: SeCreatePagefilePrivilege	3296
Token: SeShutdownPrivilege	3296
Token: SeCreatePagefilePrivilege	3296
Token: SeShutdownPrivilege	3296
Token: SeCreatePagefilePrivilege	3296

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.efdd044203d81be9cedcc631506e4660.exeoJ7sq55.exeXc3gA90.exeBl9CK11.exeRW6kx44.exe1gf81Sb5.exe2vd7962.exe4ur142Sq.exe5Kg1JS3.exe

description	pid	process	target process
PID 1944 wrote to memory of 4304	1944	NEAS.efdd044203d81be9cedcc631506e4660.exe	oJ7sq55.exe
PID 1944 wrote to memory of 4304	1944	NEAS.efdd044203d81be9cedcc631506e4660.exe	oJ7sq55.exe
PID 1944 wrote to memory of 4304	1944	NEAS.efdd044203d81be9cedcc631506e4660.exe	oJ7sq55.exe
PID 4304 wrote to memory of 4976	4304	oJ7sq55.exe	Xc3gA90.exe
PID 4304 wrote to memory of 4976	4304	oJ7sq55.exe	Xc3gA90.exe
PID 4304 wrote to memory of 4976	4304	oJ7sq55.exe	Xc3gA90.exe
PID 4976 wrote to memory of 2300	4976	Xc3gA90.exe	Bl9CK11.exe
PID 4976 wrote to memory of 2300	4976	Xc3gA90.exe	Bl9CK11.exe
PID 4976 wrote to memory of 2300	4976	Xc3gA90.exe	Bl9CK11.exe
PID 2300 wrote to memory of 3460	2300	Bl9CK11.exe	RW6kx44.exe
PID 2300 wrote to memory of 3460	2300	Bl9CK11.exe	RW6kx44.exe
PID 2300 wrote to memory of 3460	2300	Bl9CK11.exe	RW6kx44.exe
PID 3460 wrote to memory of 2332	3460	RW6kx44.exe	1gf81Sb5.exe
PID 3460 wrote to memory of 2332	3460	RW6kx44.exe	1gf81Sb5.exe
PID 3460 wrote to memory of 2332	3460	RW6kx44.exe	1gf81Sb5.exe
PID 2332 wrote to memory of 4908	2332	1gf81Sb5.exe	AppLaunch.exe
PID 2332 wrote to memory of 4908	2332	1gf81Sb5.exe	AppLaunch.exe
PID 2332 wrote to memory of 4908	2332	1gf81Sb5.exe	AppLaunch.exe
PID 2332 wrote to memory of 3188	2332	1gf81Sb5.exe	AppLaunch.exe
PID 2332 wrote to memory of 3188	2332	1gf81Sb5.exe	AppLaunch.exe
PID 2332 wrote to memory of 3188	2332	1gf81Sb5.exe	AppLaunch.exe
PID 2332 wrote to memory of 3188	2332	1gf81Sb5.exe	AppLaunch.exe
PID 2332 wrote to memory of 3188	2332	1gf81Sb5.exe	AppLaunch.exe
PID 2332 wrote to memory of 3188	2332	1gf81Sb5.exe	AppLaunch.exe
PID 2332 wrote to memory of 3188	2332	1gf81Sb5.exe	AppLaunch.exe
PID 2332 wrote to memory of 3188	2332	1gf81Sb5.exe	AppLaunch.exe
PID 3460 wrote to memory of 2984	3460	RW6kx44.exe	2vd7962.exe
PID 3460 wrote to memory of 2984	3460	RW6kx44.exe	2vd7962.exe
PID 3460 wrote to memory of 2984	3460	RW6kx44.exe	2vd7962.exe
PID 2984 wrote to memory of 5036	2984	2vd7962.exe	AppLaunch.exe
PID 2984 wrote to memory of 5036	2984	2vd7962.exe	AppLaunch.exe
PID 2984 wrote to memory of 5036	2984	2vd7962.exe	AppLaunch.exe
PID 2984 wrote to memory of 5036	2984	2vd7962.exe	AppLaunch.exe
PID 2984 wrote to memory of 5036	2984	2vd7962.exe	AppLaunch.exe
PID 2984 wrote to memory of 5036	2984	2vd7962.exe	AppLaunch.exe
PID 2984 wrote to memory of 5036	2984	2vd7962.exe	AppLaunch.exe
PID 2984 wrote to memory of 5036	2984	2vd7962.exe	AppLaunch.exe
PID 2984 wrote to memory of 5036	2984	2vd7962.exe	AppLaunch.exe
PID 2984 wrote to memory of 5036	2984	2vd7962.exe	AppLaunch.exe
PID 2300 wrote to memory of 2368	2300	Bl9CK11.exe	3Wb51ya.exe
PID 2300 wrote to memory of 2368	2300	Bl9CK11.exe	3Wb51ya.exe
PID 2300 wrote to memory of 2368	2300	Bl9CK11.exe	3Wb51ya.exe
PID 4976 wrote to memory of 2772	4976	Xc3gA90.exe	4ur142Sq.exe
PID 4976 wrote to memory of 2772	4976	Xc3gA90.exe	4ur142Sq.exe
PID 4976 wrote to memory of 2772	4976	Xc3gA90.exe	4ur142Sq.exe
PID 2772 wrote to memory of 916	2772	4ur142Sq.exe	AppLaunch.exe
PID 2772 wrote to memory of 916	2772	4ur142Sq.exe	AppLaunch.exe
PID 2772 wrote to memory of 916	2772	4ur142Sq.exe	AppLaunch.exe
PID 2772 wrote to memory of 920	2772	4ur142Sq.exe	AppLaunch.exe
PID 2772 wrote to memory of 920	2772	4ur142Sq.exe	AppLaunch.exe
PID 2772 wrote to memory of 920	2772	4ur142Sq.exe	AppLaunch.exe
PID 2772 wrote to memory of 920	2772	4ur142Sq.exe	AppLaunch.exe
PID 2772 wrote to memory of 920	2772	4ur142Sq.exe	AppLaunch.exe
PID 2772 wrote to memory of 920	2772	4ur142Sq.exe	AppLaunch.exe
PID 2772 wrote to memory of 920	2772	4ur142Sq.exe	AppLaunch.exe
PID 2772 wrote to memory of 920	2772	4ur142Sq.exe	AppLaunch.exe
PID 4304 wrote to memory of 2496	4304	oJ7sq55.exe	5Kg1JS3.exe
PID 4304 wrote to memory of 2496	4304	oJ7sq55.exe	5Kg1JS3.exe
PID 4304 wrote to memory of 2496	4304	oJ7sq55.exe	5Kg1JS3.exe
PID 2496 wrote to memory of 3892	2496	5Kg1JS3.exe	explothe.exe
PID 2496 wrote to memory of 3892	2496	5Kg1JS3.exe	explothe.exe
PID 2496 wrote to memory of 3892	2496	5Kg1JS3.exe	explothe.exe
PID 1944 wrote to memory of 4136	1944	NEAS.efdd044203d81be9cedcc631506e4660.exe	6XP2tB8.exe
PID 1944 wrote to memory of 4136	1944	NEAS.efdd044203d81be9cedcc631506e4660.exe	6XP2tB8.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.efdd044203d81be9cedcc631506e4660.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.efdd044203d81be9cedcc631506e4660.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ7sq55.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ7sq55.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4304

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xc3gA90.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xc3gA90.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bl9CK11.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bl9CK11.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RW6kx44.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RW6kx44.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3460

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gf81Sb5.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gf81Sb5.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vd7962.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vd7962.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 540
8⤵
- Program crash
PID:3988

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Wb51ya.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Wb51ya.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2368

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ur142Sq.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ur142Sq.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Kg1JS3.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Kg1JS3.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
5⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2008

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
6⤵
PID:1780

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
6⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4912

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
6⤵
PID:3096

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
6⤵
PID:4832

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
5⤵
- Creates scheduled task(s)
PID:4560

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6XP2tB8.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6XP2tB8.exe
2⤵
- Executes dropped EXE
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5036 -ip 5036
1⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2100

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6XP2tB8.exe
Filesize
184KB

MD5
32d7ed142c3bfd4ecccdbaf7c2d1f3b3

SHA1
f7c060638c710226bbac2c3cbe252036327426ea

SHA256
7f6e451a2e7a8ab5ce389066834ee14b18c7ddf03168d2efc3669ee1f7ff0fc7

SHA512
b61f90be61a204095d7324b2864c9b51136285be5feaea1c2ad3624086b784fc068ea831a5db51fba31ac988ddae7190b098e0d05248e729da899737c3b8790c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6XP2tB8.exe
Filesize
184KB

MD5
32d7ed142c3bfd4ecccdbaf7c2d1f3b3

SHA1
f7c060638c710226bbac2c3cbe252036327426ea

SHA256
7f6e451a2e7a8ab5ce389066834ee14b18c7ddf03168d2efc3669ee1f7ff0fc7

SHA512
b61f90be61a204095d7324b2864c9b51136285be5feaea1c2ad3624086b784fc068ea831a5db51fba31ac988ddae7190b098e0d05248e729da899737c3b8790c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ7sq55.exe
Filesize
1.2MB

MD5
d3ad39157b6df4f00e65f52c827cde8a

SHA1
d36ad721c29b935244be6e00e44a1a55b5e0cb80

SHA256
e119d0c89db4fd03fec18009d714c4f93e3774dcc807ebaf8e7fd46fcb4d19bb

SHA512
1e1a3c3eab600c44ff210d7ca84e0a91210e9dddc625f3b3368805c84509e7dd68bc12f4102c3f5b138a03ff3390313711e0abb8b3c1f9a4d876c55634828888

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ7sq55.exe
Filesize
1.2MB

MD5
d3ad39157b6df4f00e65f52c827cde8a

SHA1
d36ad721c29b935244be6e00e44a1a55b5e0cb80

SHA256
e119d0c89db4fd03fec18009d714c4f93e3774dcc807ebaf8e7fd46fcb4d19bb

SHA512
1e1a3c3eab600c44ff210d7ca84e0a91210e9dddc625f3b3368805c84509e7dd68bc12f4102c3f5b138a03ff3390313711e0abb8b3c1f9a4d876c55634828888

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Kg1JS3.exe
Filesize
221KB

MD5
07c83b7755694646d76922d5e21a9c93

SHA1
b1e77093b7c35b9d9d2861add9bd1c7ea1c63254

SHA256
4207171d926026d6088b6e1197f314c22d3366aa00bf94e38728cf616f54e16f

SHA512
f83bb4388318e9dab1740fa75bbb28ad3233a5360f38be0bd5f0587c89c7ddd956102a7f9a204a30860b9b9c5f6ebdbfa4de9b8f8b2def7f748ea3ac3617711f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Kg1JS3.exe
Filesize
221KB

MD5
07c83b7755694646d76922d5e21a9c93

SHA1
b1e77093b7c35b9d9d2861add9bd1c7ea1c63254

SHA256
4207171d926026d6088b6e1197f314c22d3366aa00bf94e38728cf616f54e16f

SHA512
f83bb4388318e9dab1740fa75bbb28ad3233a5360f38be0bd5f0587c89c7ddd956102a7f9a204a30860b9b9c5f6ebdbfa4de9b8f8b2def7f748ea3ac3617711f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xc3gA90.exe
Filesize
1.1MB

MD5
3c15edc30b0664e19498d209b9dd5aee

SHA1
f461e556c753f415826a42b3006015eb510bc58c

SHA256
3502e2eaf16713b8a69ce9153f23ee866d8a74f77d0da2e2ec2df08625cc2033

SHA512
cf8da1d4349428ea15592eb116fd914df6df866e54dc8e91275af94eca62ebe5e5f47dfacc512d80713bb341a654b27d84e774c34d2e81a06b5f011f71b366c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xc3gA90.exe
Filesize
1.1MB

MD5
3c15edc30b0664e19498d209b9dd5aee

SHA1
f461e556c753f415826a42b3006015eb510bc58c

SHA256
3502e2eaf16713b8a69ce9153f23ee866d8a74f77d0da2e2ec2df08625cc2033

SHA512
cf8da1d4349428ea15592eb116fd914df6df866e54dc8e91275af94eca62ebe5e5f47dfacc512d80713bb341a654b27d84e774c34d2e81a06b5f011f71b366c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ur142Sq.exe
Filesize
1.2MB

MD5
49abfe72ebd20c63985b6b6b0efdbd8f

SHA1
6045d7fb714713fe50b7ee968861f865dbd0371e

SHA256
1c8820e889dd1f7bdfb346fc7b846fa38a4b68931f0a2b853089ab7a808541e8

SHA512
70be5bc0dde329e8c9a305f5206455d44a457e400779539f689c8e9391f983b91316bae694f55983c9ccc8dea505fd22c4ae5a54899a8179fa22b30c246df260

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ur142Sq.exe
Filesize
1.2MB

MD5
49abfe72ebd20c63985b6b6b0efdbd8f

SHA1
6045d7fb714713fe50b7ee968861f865dbd0371e

SHA256
1c8820e889dd1f7bdfb346fc7b846fa38a4b68931f0a2b853089ab7a808541e8

SHA512
70be5bc0dde329e8c9a305f5206455d44a457e400779539f689c8e9391f983b91316bae694f55983c9ccc8dea505fd22c4ae5a54899a8179fa22b30c246df260

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bl9CK11.exe
Filesize
666KB

MD5
ddd010e1d2bc0f4b1f1cced97a999321

SHA1
53a10b02f76f0b8625f5abd00cf8d9e670b8ec8b

SHA256
06cac7e7428f14647ebe8f8154635a90b3948b4ffe00d129bff4a653a58feb7b

SHA512
7de70dc102ae810296b62fd1cdc102b691aa1dd605fdd0bf1c666fdf097cfeb13865e0373c1be068bb108d3df00da18fb7f1159ac0f40352f8d86767f6a7d1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bl9CK11.exe
Filesize
666KB

MD5
ddd010e1d2bc0f4b1f1cced97a999321

SHA1
53a10b02f76f0b8625f5abd00cf8d9e670b8ec8b

SHA256
06cac7e7428f14647ebe8f8154635a90b3948b4ffe00d129bff4a653a58feb7b

SHA512
7de70dc102ae810296b62fd1cdc102b691aa1dd605fdd0bf1c666fdf097cfeb13865e0373c1be068bb108d3df00da18fb7f1159ac0f40352f8d86767f6a7d1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Wb51ya.exe
Filesize
31KB

MD5
07e4e35e80732d008f028d655a9b0d9c

SHA1
8de3dd0485a3b45d592819f0352ad34807617d2b

SHA256
132b0f46a347c51325b85b12fec0dadb9aec6bca30b52c08afdbeb8a89d343d0

SHA512
4935aac408463237cf161dfeac961a8162727ce21cb6d7f1b97caf6ffecdb6370bae7c801b03892e84b1e7d9ef20990f0291e18707bd0926b18d6e24064bc2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Wb51ya.exe
Filesize
31KB

MD5
07e4e35e80732d008f028d655a9b0d9c

SHA1
8de3dd0485a3b45d592819f0352ad34807617d2b

SHA256
132b0f46a347c51325b85b12fec0dadb9aec6bca30b52c08afdbeb8a89d343d0

SHA512
4935aac408463237cf161dfeac961a8162727ce21cb6d7f1b97caf6ffecdb6370bae7c801b03892e84b1e7d9ef20990f0291e18707bd0926b18d6e24064bc2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RW6kx44.exe
Filesize
542KB

MD5
966c47866243a5e3f7096b32f13870a7

SHA1
bbaebfc3cc231f4ba28de59a1e726fe4bca9a22b

SHA256
3a0f84f03bed354fefab1b16ae8c447101e9694513f1391fcb23674fe3e7c004

SHA512
2f5017ddbf32a03a6bd7f6181469e406e72bad014ad0e800f6892fcc9a42ce73d3e3e64c24081933eebbdc3c893e3746a94a53a12766fab095b0feeb0b7305c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RW6kx44.exe
Filesize
542KB

MD5
966c47866243a5e3f7096b32f13870a7

SHA1
bbaebfc3cc231f4ba28de59a1e726fe4bca9a22b

SHA256
3a0f84f03bed354fefab1b16ae8c447101e9694513f1391fcb23674fe3e7c004

SHA512
2f5017ddbf32a03a6bd7f6181469e406e72bad014ad0e800f6892fcc9a42ce73d3e3e64c24081933eebbdc3c893e3746a94a53a12766fab095b0feeb0b7305c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gf81Sb5.exe
Filesize
933KB

MD5
c8f5e1a4e4f32a479fd656d3833a415d

SHA1
ad40ceb7d87e0fef421a4c6d3e25ee26a0e6e517

SHA256
f9dcad9ffc6fc29bea194e199e12fc31e57f56075336e470049441b749765c12

SHA512
63b226cb2240aa2522fb29c65aa9506b6d9ff31cd4c57766e1a473145744145162bc92bb9a0a288e9257ef40929d9d378627fc2b07de6584bdb1a06297f3f0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gf81Sb5.exe
Filesize
933KB

MD5
c8f5e1a4e4f32a479fd656d3833a415d

SHA1
ad40ceb7d87e0fef421a4c6d3e25ee26a0e6e517

SHA256
f9dcad9ffc6fc29bea194e199e12fc31e57f56075336e470049441b749765c12

SHA512
63b226cb2240aa2522fb29c65aa9506b6d9ff31cd4c57766e1a473145744145162bc92bb9a0a288e9257ef40929d9d378627fc2b07de6584bdb1a06297f3f0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vd7962.exe
Filesize
1.1MB

MD5
f4b5ce03673051d123d51670d9888713

SHA1
363cf988c811605750d6ae413c3907c032456a75

SHA256
19f523f15387121357efcd180eae4b7100fe845466854f302e35b30268523519

SHA512
850052b98da1a5c93b0a5d6f140fb812dfb9861244e7e2866b43787a7fe413aed36c85c313faa0f3265e8af17125e922f766ccac2946ce90164716a479f15abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vd7962.exe
Filesize
1.1MB

MD5
f4b5ce03673051d123d51670d9888713

SHA1
363cf988c811605750d6ae413c3907c032456a75

SHA256
19f523f15387121357efcd180eae4b7100fe845466854f302e35b30268523519

SHA512
850052b98da1a5c93b0a5d6f140fb812dfb9861244e7e2866b43787a7fe413aed36c85c313faa0f3265e8af17125e922f766ccac2946ce90164716a479f15abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
07c83b7755694646d76922d5e21a9c93

SHA1
b1e77093b7c35b9d9d2861add9bd1c7ea1c63254

SHA256
4207171d926026d6088b6e1197f314c22d3366aa00bf94e38728cf616f54e16f

SHA512
f83bb4388318e9dab1740fa75bbb28ad3233a5360f38be0bd5f0587c89c7ddd956102a7f9a204a30860b9b9c5f6ebdbfa4de9b8f8b2def7f748ea3ac3617711f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
07c83b7755694646d76922d5e21a9c93

SHA1
b1e77093b7c35b9d9d2861add9bd1c7ea1c63254

SHA256
4207171d926026d6088b6e1197f314c22d3366aa00bf94e38728cf616f54e16f

SHA512
f83bb4388318e9dab1740fa75bbb28ad3233a5360f38be0bd5f0587c89c7ddd956102a7f9a204a30860b9b9c5f6ebdbfa4de9b8f8b2def7f748ea3ac3617711f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
07c83b7755694646d76922d5e21a9c93

SHA1
b1e77093b7c35b9d9d2861add9bd1c7ea1c63254

SHA256
4207171d926026d6088b6e1197f314c22d3366aa00bf94e38728cf616f54e16f

SHA512
f83bb4388318e9dab1740fa75bbb28ad3233a5360f38be0bd5f0587c89c7ddd956102a7f9a204a30860b9b9c5f6ebdbfa4de9b8f8b2def7f748ea3ac3617711f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
07c83b7755694646d76922d5e21a9c93

SHA1
b1e77093b7c35b9d9d2861add9bd1c7ea1c63254

SHA256
4207171d926026d6088b6e1197f314c22d3366aa00bf94e38728cf616f54e16f

SHA512
f83bb4388318e9dab1740fa75bbb28ad3233a5360f38be0bd5f0587c89c7ddd956102a7f9a204a30860b9b9c5f6ebdbfa4de9b8f8b2def7f748ea3ac3617711f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
07c83b7755694646d76922d5e21a9c93

SHA1
b1e77093b7c35b9d9d2861add9bd1c7ea1c63254

SHA256
4207171d926026d6088b6e1197f314c22d3366aa00bf94e38728cf616f54e16f

SHA512
f83bb4388318e9dab1740fa75bbb28ad3233a5360f38be0bd5f0587c89c7ddd956102a7f9a204a30860b9b9c5f6ebdbfa4de9b8f8b2def7f748ea3ac3617711f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
07c83b7755694646d76922d5e21a9c93

SHA1
b1e77093b7c35b9d9d2861add9bd1c7ea1c63254

SHA256
4207171d926026d6088b6e1197f314c22d3366aa00bf94e38728cf616f54e16f

SHA512
f83bb4388318e9dab1740fa75bbb28ad3233a5360f38be0bd5f0587c89c7ddd956102a7f9a204a30860b9b9c5f6ebdbfa4de9b8f8b2def7f748ea3ac3617711f

Download Submit
memory/920-81-0x0000000007E70000-0x0000000007F7A000-memory.dmp

Filesize
1.0MB

Download
memory/920-82-0x0000000007640000-0x0000000007652000-memory.dmp

Filesize
72KB

Download
memory/920-86-0x00000000075C0000-0x00000000075D0000-memory.dmp

Filesize
64KB

Download
memory/920-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/920-63-0x0000000073C00000-0x00000000743B0000-memory.dmp

Filesize
7.7MB

Download
memory/920-64-0x00000000078C0000-0x0000000007E64000-memory.dmp

Filesize
5.6MB

Download
memory/920-65-0x00000000073B0000-0x0000000007442000-memory.dmp

Filesize
584KB

Download
memory/920-71-0x00000000075C0000-0x00000000075D0000-memory.dmp

Filesize
64KB

Download
memory/920-85-0x0000000073C00000-0x00000000743B0000-memory.dmp

Filesize
7.7MB

Download
memory/920-75-0x0000000007560000-0x000000000756A000-memory.dmp

Filesize
40KB

Download
memory/920-84-0x00000000076E0000-0x000000000772C000-memory.dmp

Filesize
304KB

Download
memory/920-83-0x00000000076A0000-0x00000000076DC000-memory.dmp

Filesize
240KB

Download
memory/920-80-0x0000000008490000-0x0000000008AA8000-memory.dmp

Filesize
6.1MB

Download
memory/2368-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2368-52-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3188-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3188-39-0x0000000073C00000-0x00000000743B0000-memory.dmp

Filesize
7.7MB

Download
memory/3188-76-0x0000000073C00000-0x00000000743B0000-memory.dmp

Filesize
7.7MB

Download
memory/3188-56-0x0000000073C00000-0x00000000743B0000-memory.dmp

Filesize
7.7MB

Download
memory/3296-49-0x0000000003360000-0x0000000003376000-memory.dmp

Filesize
88KB

Download
memory/5036-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download