amadey | 58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2023 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe
Size

1.4MB
MD5

f3954f09295d06335add88614fdc5c11
SHA1

3b77942e43cda301fcd783dbecb04b930c2ca92b
SHA256

58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d
SHA512

46ba920f3619edccdd6dcc982bf094d903879e5113029e2f84c32bfc3ab4ca936ba829fd264ced16c7faa286448a79c52719f80203b669f94260cdc092f7daad
SSDEEP

24576:Iy9zWQp41vJ7qEjXnxvfqf0kNIihSRYPNthwEuAGxzcOGyrs7MoAgp5:PLQvJ7bxvS8OhSwwEXGxzcOGyYjt

Score

10^/10

amadey redline smokeloader grome backdoor evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/760-56-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Re0kN6.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	5Re0kN6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 14 IoCs

Processes:

pa3FP16.exeGP6lG17.exeAN9JP49.exekJ4Tc65.exe1Jz88Oa9.exe2xO2655.exe3ws19lb.exe4yb696Nn.exe5Re0kN6.exeexplothe.exe6Ne8Rh8.exeiGEi8vRP03qtIb7.exeexplothe.exeexplothe.exe

pid	process
3696	pa3FP16.exe
4060	GP6lG17.exe
4504	AN9JP49.exe
3792	kJ4Tc65.exe
1000	1Jz88Oa9.exe
2524	2xO2655.exe
3224	3ws19lb.exe
2528	4yb696Nn.exe
3532	5Re0kN6.exe
3880	explothe.exe
2924	6Ne8Rh8.exe
1456	iGEi8vRP03qtIb7.exe
5056	explothe.exe
380	explothe.exe

Loads dropped DLL 1 IoCs

Processes:

6Ne8Rh8.exe

pid process

2924 6Ne8Rh8.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2924	6Ne8Rh8.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exepa3FP16.exeGP6lG17.exeAN9JP49.exekJ4Tc65.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pa3FP16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	GP6lG17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	AN9JP49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	kJ4Tc65.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1Jz88Oa9.exe2xO2655.exe4yb696Nn.exe

description	pid	process	target process
PID 1000 set thread context of 3408	1000	1Jz88Oa9.exe	AppLaunch.exe
PID 2524 set thread context of 2756	2524	2xO2655.exe	AppLaunch.exe
PID 2528 set thread context of 760	2528	4yb696Nn.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1564 2756 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
1564	2756	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3ws19lb.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3ws19lb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3ws19lb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3ws19lb.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2884 schtasks.exe
1888 schtasks.exe

pid	process
2884	schtasks.exe
1888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3ws19lb.exeAppLaunch.exe

pid	process
3224	3ws19lb.exe
3224	3ws19lb.exe
3408	AppLaunch.exe
3408	AppLaunch.exe
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3264
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3ws19lb.exe

pid process

3224 3ws19lb.exe

pid	process
3264

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3408	AppLaunch.exe
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exepa3FP16.exeGP6lG17.exeAN9JP49.exekJ4Tc65.exe1Jz88Oa9.exe2xO2655.exe4yb696Nn.exe5Re0kN6.exeexplothe.exe

description	pid	process	target process
PID 3116 wrote to memory of 3696	3116	NEAS.58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe	pa3FP16.exe
PID 3116 wrote to memory of 3696	3116	NEAS.58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe	pa3FP16.exe
PID 3116 wrote to memory of 3696	3116	NEAS.58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe	pa3FP16.exe
PID 3696 wrote to memory of 4060	3696	pa3FP16.exe	GP6lG17.exe
PID 3696 wrote to memory of 4060	3696	pa3FP16.exe	GP6lG17.exe
PID 3696 wrote to memory of 4060	3696	pa3FP16.exe	GP6lG17.exe
PID 4060 wrote to memory of 4504	4060	GP6lG17.exe	AN9JP49.exe
PID 4060 wrote to memory of 4504	4060	GP6lG17.exe	AN9JP49.exe
PID 4060 wrote to memory of 4504	4060	GP6lG17.exe	AN9JP49.exe
PID 4504 wrote to memory of 3792	4504	AN9JP49.exe	kJ4Tc65.exe
PID 4504 wrote to memory of 3792	4504	AN9JP49.exe	kJ4Tc65.exe
PID 4504 wrote to memory of 3792	4504	AN9JP49.exe	kJ4Tc65.exe
PID 3792 wrote to memory of 1000	3792	kJ4Tc65.exe	1Jz88Oa9.exe
PID 3792 wrote to memory of 1000	3792	kJ4Tc65.exe	1Jz88Oa9.exe
PID 3792 wrote to memory of 1000	3792	kJ4Tc65.exe	1Jz88Oa9.exe
PID 1000 wrote to memory of 3408	1000	1Jz88Oa9.exe	AppLaunch.exe
PID 1000 wrote to memory of 3408	1000	1Jz88Oa9.exe	AppLaunch.exe
PID 1000 wrote to memory of 3408	1000	1Jz88Oa9.exe	AppLaunch.exe
PID 1000 wrote to memory of 3408	1000	1Jz88Oa9.exe	AppLaunch.exe
PID 1000 wrote to memory of 3408	1000	1Jz88Oa9.exe	AppLaunch.exe
PID 1000 wrote to memory of 3408	1000	1Jz88Oa9.exe	AppLaunch.exe
PID 1000 wrote to memory of 3408	1000	1Jz88Oa9.exe	AppLaunch.exe
PID 1000 wrote to memory of 3408	1000	1Jz88Oa9.exe	AppLaunch.exe
PID 3792 wrote to memory of 2524	3792	kJ4Tc65.exe	2xO2655.exe
PID 3792 wrote to memory of 2524	3792	kJ4Tc65.exe	2xO2655.exe
PID 3792 wrote to memory of 2524	3792	kJ4Tc65.exe	2xO2655.exe
PID 2524 wrote to memory of 2756	2524	2xO2655.exe	AppLaunch.exe
PID 2524 wrote to memory of 2756	2524	2xO2655.exe	AppLaunch.exe
PID 2524 wrote to memory of 2756	2524	2xO2655.exe	AppLaunch.exe
PID 2524 wrote to memory of 2756	2524	2xO2655.exe	AppLaunch.exe
PID 2524 wrote to memory of 2756	2524	2xO2655.exe	AppLaunch.exe
PID 2524 wrote to memory of 2756	2524	2xO2655.exe	AppLaunch.exe
PID 2524 wrote to memory of 2756	2524	2xO2655.exe	AppLaunch.exe
PID 2524 wrote to memory of 2756	2524	2xO2655.exe	AppLaunch.exe
PID 2524 wrote to memory of 2756	2524	2xO2655.exe	AppLaunch.exe
PID 2524 wrote to memory of 2756	2524	2xO2655.exe	AppLaunch.exe
PID 4504 wrote to memory of 3224	4504	AN9JP49.exe	3ws19lb.exe
PID 4504 wrote to memory of 3224	4504	AN9JP49.exe	3ws19lb.exe
PID 4504 wrote to memory of 3224	4504	AN9JP49.exe	3ws19lb.exe
PID 4060 wrote to memory of 2528	4060	GP6lG17.exe	4yb696Nn.exe
PID 4060 wrote to memory of 2528	4060	GP6lG17.exe	4yb696Nn.exe
PID 4060 wrote to memory of 2528	4060	GP6lG17.exe	4yb696Nn.exe
PID 2528 wrote to memory of 760	2528	4yb696Nn.exe	AppLaunch.exe
PID 2528 wrote to memory of 760	2528	4yb696Nn.exe	AppLaunch.exe
PID 2528 wrote to memory of 760	2528	4yb696Nn.exe	AppLaunch.exe
PID 2528 wrote to memory of 760	2528	4yb696Nn.exe	AppLaunch.exe
PID 2528 wrote to memory of 760	2528	4yb696Nn.exe	AppLaunch.exe
PID 2528 wrote to memory of 760	2528	4yb696Nn.exe	AppLaunch.exe
PID 2528 wrote to memory of 760	2528	4yb696Nn.exe	AppLaunch.exe
PID 2528 wrote to memory of 760	2528	4yb696Nn.exe	AppLaunch.exe
PID 3696 wrote to memory of 3532	3696	pa3FP16.exe	5Re0kN6.exe
PID 3696 wrote to memory of 3532	3696	pa3FP16.exe	5Re0kN6.exe
PID 3696 wrote to memory of 3532	3696	pa3FP16.exe	5Re0kN6.exe
PID 3532 wrote to memory of 3880	3532	5Re0kN6.exe	explothe.exe
PID 3532 wrote to memory of 3880	3532	5Re0kN6.exe	explothe.exe
PID 3532 wrote to memory of 3880	3532	5Re0kN6.exe	explothe.exe
PID 3116 wrote to memory of 2924	3116	NEAS.58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe	6Ne8Rh8.exe
PID 3116 wrote to memory of 2924	3116	NEAS.58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe	6Ne8Rh8.exe
PID 3116 wrote to memory of 2924	3116	NEAS.58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe	6Ne8Rh8.exe
PID 3880 wrote to memory of 2884	3880	explothe.exe	schtasks.exe
PID 3880 wrote to memory of 2884	3880	explothe.exe	schtasks.exe
PID 3880 wrote to memory of 2884	3880	explothe.exe	schtasks.exe
PID 3880 wrote to memory of 4428	3880	explothe.exe	cmd.exe
PID 3880 wrote to memory of 4428	3880	explothe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pa3FP16.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pa3FP16.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP6lG17.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP6lG17.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4060

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AN9JP49.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AN9JP49.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4504

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJ4Tc65.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJ4Tc65.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3792

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jz88Oa9.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jz88Oa9.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO2655.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO2655.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 540
8⤵
- Program crash
PID:1564

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ws19lb.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ws19lb.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3224

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4yb696Nn.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4yb696Nn.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Re0kN6.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Re0kN6.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
5⤵
- Creates scheduled task(s)
PID:2884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
5⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1068

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
6⤵
PID:4276

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
6⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2344

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
6⤵
PID:3704

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
6⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ne8Rh8.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ne8Rh8.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924

C:\Users\Admin\AppData\Local\Temp\iGEi8vRP03qtIb7.exe
"C:\Users\Admin\AppData\Local\Temp\iGEi8vRP03qtIb7.exe"
3⤵
- Executes dropped EXE
PID:1456

C:\Windows\SysWOW64\cmd.exe
/c schtasks /create /F /sc minute /mo 15 /tr "C:\Users\Admin\AppData\Local\Temp\iGEi8vRP03qtIb7.exe" /tn "\WindowsAppPool\iGEi8vRP03qtIb7"
3⤵
PID:3216

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /F /sc minute /mo 15 /tr "C:\Users\Admin\AppData\Local\Temp\iGEi8vRP03qtIb7.exe" /tn "\WindowsAppPool\iGEi8vRP03qtIb7"
4⤵
- Creates scheduled task(s)
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2756 -ip 2756
1⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\97LYyvft6xAlw4lx.dll
Filesize
778KB

MD5
ca426ad13949eb03954cf6af14ed9ccb

SHA1
f5f46048711a3b10fdd243d450f38c70b2bda65d

SHA256
383f6a8aac6ecde29d4cbde8e31be84a528892cc7295985f1c877fdfbe9e2a2f

SHA512
42494f56d3cd9048b7f912e907bbedf1db140d45834e1f5f79957d6453ea0468f97fe7de6e0e5f4d494cb5eff9a7c5b9005e9a506f82a1d7dcd18f5c3790dee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ne8Rh8.exe
Filesize
184KB

MD5
8ecde87cdcafbdb1c8765f1ae219207b

SHA1
867e1ae741528cba6e44d7f4bfaa5399200523fa

SHA256
c444717adad4d37ef5c768facd6ae66f7b25307e539a969b620a52192a7348d1

SHA512
5b94ec62128138363d29412e190827f5acd443baa7b636335eb0d327d39fa805590bcad19d3d857619eabbc07dc8e84aff5ea6f0a87a22652db9232fbe7dfe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ne8Rh8.exe
Filesize
184KB

MD5
8ecde87cdcafbdb1c8765f1ae219207b

SHA1
867e1ae741528cba6e44d7f4bfaa5399200523fa

SHA256
c444717adad4d37ef5c768facd6ae66f7b25307e539a969b620a52192a7348d1

SHA512
5b94ec62128138363d29412e190827f5acd443baa7b636335eb0d327d39fa805590bcad19d3d857619eabbc07dc8e84aff5ea6f0a87a22652db9232fbe7dfe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pa3FP16.exe
Filesize
1.2MB

MD5
8899a80842b05e93d25ab38d5b828787

SHA1
d58f9761f93d715a3d2f8cd01383cf425d64c312

SHA256
36376330a45a3d014b9e2ae1b7fd10f9dd07473bbad5d66cdecc8cc81eb1ba7a

SHA512
60a1c46af1b5e2c70d1cd5b5b49238c97031de8c668bc0e9e0a1c117047ac8d6f1b5b637dbeb4cbf0c03f7dc69fd9275ff90231d881a0df823547abe75f9b55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pa3FP16.exe
Filesize
1.2MB

MD5
8899a80842b05e93d25ab38d5b828787

SHA1
d58f9761f93d715a3d2f8cd01383cf425d64c312

SHA256
36376330a45a3d014b9e2ae1b7fd10f9dd07473bbad5d66cdecc8cc81eb1ba7a

SHA512
60a1c46af1b5e2c70d1cd5b5b49238c97031de8c668bc0e9e0a1c117047ac8d6f1b5b637dbeb4cbf0c03f7dc69fd9275ff90231d881a0df823547abe75f9b55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Re0kN6.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Re0kN6.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP6lG17.exe
Filesize
1.1MB

MD5
3b3d2da16ee4df6249afac2d10dc7394

SHA1
d59d118b9a173b9802644862a1897fb51883a952

SHA256
bf2a7b3cb4ab3d702b07326cd27ecd0dc85037c42251bfa866b74a15ee78b653

SHA512
8a322eb43079dbfb0afd516c24a4fef4ba196a023dfffbe6ce28603f51a5f9a2d9354b16d675452c86a7cfcdd83a3cf7545b9da27e537d7828f1db8a156b7d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP6lG17.exe
Filesize
1.1MB

MD5
3b3d2da16ee4df6249afac2d10dc7394

SHA1
d59d118b9a173b9802644862a1897fb51883a952

SHA256
bf2a7b3cb4ab3d702b07326cd27ecd0dc85037c42251bfa866b74a15ee78b653

SHA512
8a322eb43079dbfb0afd516c24a4fef4ba196a023dfffbe6ce28603f51a5f9a2d9354b16d675452c86a7cfcdd83a3cf7545b9da27e537d7828f1db8a156b7d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4yb696Nn.exe
Filesize
1.1MB

MD5
06603e636d6ec1da3ef47b40571920b4

SHA1
77b1a808a3daac10b743967d39aacd1714faad75

SHA256
2ac58de40c57a368a96743afb0ecf2c65f5e5f588bc5e02952d4be97e965d4b2

SHA512
c841ad63c2d5dcba840cdeab9f05b4f7e685fae92772a29d1df477cb4450e5ddffd7566d9665bc260974bb678b38b61e97c263972f9aefb0bbe65b342b20315c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4yb696Nn.exe
Filesize
1.1MB

MD5
06603e636d6ec1da3ef47b40571920b4

SHA1
77b1a808a3daac10b743967d39aacd1714faad75

SHA256
2ac58de40c57a368a96743afb0ecf2c65f5e5f588bc5e02952d4be97e965d4b2

SHA512
c841ad63c2d5dcba840cdeab9f05b4f7e685fae92772a29d1df477cb4450e5ddffd7566d9665bc260974bb678b38b61e97c263972f9aefb0bbe65b342b20315c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AN9JP49.exe
Filesize
668KB

MD5
db562732cfd3cb578775ca96d58334ef

SHA1
9ca32bb1b5d7da442801287bb177165730e3eed8

SHA256
c875c55135f0f453e03f9c6c5a76b82559101506a72ee71885a3f54462fe53d7

SHA512
c2fc51b47da4e2494c60a3ae0ecad326822fb28d9a5e301d5763cc8cfe65f7bd328a5652af2fbe3d41cb73892ad4e74a91a5712f640e4955f172ab4eb347ab50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AN9JP49.exe
Filesize
668KB

MD5
db562732cfd3cb578775ca96d58334ef

SHA1
9ca32bb1b5d7da442801287bb177165730e3eed8

SHA256
c875c55135f0f453e03f9c6c5a76b82559101506a72ee71885a3f54462fe53d7

SHA512
c2fc51b47da4e2494c60a3ae0ecad326822fb28d9a5e301d5763cc8cfe65f7bd328a5652af2fbe3d41cb73892ad4e74a91a5712f640e4955f172ab4eb347ab50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ws19lb.exe
Filesize
31KB

MD5
4afa640f032370b3b391107f6b7a3b93

SHA1
f9e541c25133a4f0729d0388d8ebbca4e21f09d7

SHA256
54cbb2a876af76713631e3a37e12f8a86f87c99bd4809314712b478031cfc3c2

SHA512
9149ac625e693251af43e83bd7caa8f46ada809ad346c81c1498d9503a7fe6dedb41751c84cd7a41dab51ed90c3cc7ae71a634401117f64c7f6fa63d10f3db42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ws19lb.exe
Filesize
31KB

MD5
4afa640f032370b3b391107f6b7a3b93

SHA1
f9e541c25133a4f0729d0388d8ebbca4e21f09d7

SHA256
54cbb2a876af76713631e3a37e12f8a86f87c99bd4809314712b478031cfc3c2

SHA512
9149ac625e693251af43e83bd7caa8f46ada809ad346c81c1498d9503a7fe6dedb41751c84cd7a41dab51ed90c3cc7ae71a634401117f64c7f6fa63d10f3db42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJ4Tc65.exe
Filesize
544KB

MD5
9fe45b14a7e9b92f62e8efcdffefa71e

SHA1
36a740fa43d0ac465109755a285c114d0cb6a0f4

SHA256
afbdc3c0e550f126ac5a5f1f5d5ec1f7c9cc1b6b42103386509419b1da402f52

SHA512
a5eef592e2aff7c3acd69f37b09cb53fc1017bef9e07b0c995f1c1131ff35ceac218fc696d999b0638a21c6ad2afd79e7413a06b2e99f8053f83830a44a11a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJ4Tc65.exe
Filesize
544KB

MD5
9fe45b14a7e9b92f62e8efcdffefa71e

SHA1
36a740fa43d0ac465109755a285c114d0cb6a0f4

SHA256
afbdc3c0e550f126ac5a5f1f5d5ec1f7c9cc1b6b42103386509419b1da402f52

SHA512
a5eef592e2aff7c3acd69f37b09cb53fc1017bef9e07b0c995f1c1131ff35ceac218fc696d999b0638a21c6ad2afd79e7413a06b2e99f8053f83830a44a11a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jz88Oa9.exe
Filesize
933KB

MD5
1abf943cc832dd82b467ffe4d2e8af20

SHA1
e9a506ed241d3244653941196baec1dc094e063e

SHA256
115313cab36d6b2828cbc8654e8ba73db8962940c2fac8aa1626b42ce1ee8a3c

SHA512
7b3b5f68e8b918bc3e9e84cfba91a237f9a39dc9f4430d148b362d1b0412cb6731c28a910e024c6ad1c43c6dc6fe721c59e363df873e5baef6e633c65a632237

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jz88Oa9.exe
Filesize
933KB

MD5
1abf943cc832dd82b467ffe4d2e8af20

SHA1
e9a506ed241d3244653941196baec1dc094e063e

SHA256
115313cab36d6b2828cbc8654e8ba73db8962940c2fac8aa1626b42ce1ee8a3c

SHA512
7b3b5f68e8b918bc3e9e84cfba91a237f9a39dc9f4430d148b362d1b0412cb6731c28a910e024c6ad1c43c6dc6fe721c59e363df873e5baef6e633c65a632237

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO2655.exe
Filesize
1.1MB

MD5
80c41da64f85220763bd1c1b6c8c5f13

SHA1
3b1c63bcbcea55eaaf29a9126c42c9cc8bdf4bef

SHA256
74f0fd2b74974231e9ebe21642ba9e9b9769fc7b3503305aa9e122e9821e0499

SHA512
5615fd765a7a111c5f3d948d546f3805a5093f014278a31bc2d2bdbf1fce85ba9b6089e3ce403b2b8871dc8e4345ac0a380f0a938c30421ea88b04260c530cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO2655.exe
Filesize
1.1MB

MD5
80c41da64f85220763bd1c1b6c8c5f13

SHA1
3b1c63bcbcea55eaaf29a9126c42c9cc8bdf4bef

SHA256
74f0fd2b74974231e9ebe21642ba9e9b9769fc7b3503305aa9e122e9821e0499

SHA512
5615fd765a7a111c5f3d948d546f3805a5093f014278a31bc2d2bdbf1fce85ba9b6089e3ce403b2b8871dc8e4345ac0a380f0a938c30421ea88b04260c530cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGEi8vRP03qtIb7.exe
Filesize
180KB

MD5
03dcb0a8a798ed68c6521c7aca73c404

SHA1
90cc13515fa4305570c6907f2d2abfd5523c456c

SHA256
6cc811f59bdf17c52aa4ab3a76c4a2f0b7276ea9e5d41598876eeb405949cb77

SHA512
14bc7252ec34b36498ecc172c1e075c652a048445ac5e187ae3c29c1e1617790a6d793f17335a9823002432c561296a824472f8a5046df3582f762b80c48260f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGEi8vRP03qtIb7.exe
Filesize
180KB

MD5
03dcb0a8a798ed68c6521c7aca73c404

SHA1
90cc13515fa4305570c6907f2d2abfd5523c456c

SHA256
6cc811f59bdf17c52aa4ab3a76c4a2f0b7276ea9e5d41598876eeb405949cb77

SHA512
14bc7252ec34b36498ecc172c1e075c652a048445ac5e187ae3c29c1e1617790a6d793f17335a9823002432c561296a824472f8a5046df3582f762b80c48260f

Download Submit
memory/760-78-0x0000000007F90000-0x00000000085A8000-memory.dmp

Filesize
6.1MB

Download
memory/760-80-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/760-117-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/760-64-0x00000000073C0000-0x0000000007964000-memory.dmp

Filesize
5.6MB

Download
memory/760-65-0x0000000006E10000-0x0000000006EA2000-memory.dmp

Filesize
584KB

Download
memory/760-66-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/760-71-0x0000000006EE0000-0x0000000006EEA000-memory.dmp

Filesize
40KB

Download
memory/760-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/760-116-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/760-90-0x0000000007290000-0x00000000072DC000-memory.dmp

Filesize
304KB

Download
memory/760-82-0x0000000007110000-0x000000000714C000-memory.dmp

Filesize
240KB

Download
memory/760-61-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/760-79-0x0000000007180000-0x000000000728A000-memory.dmp

Filesize
1.0MB

Download
memory/2756-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3224-52-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3264-49-0x0000000002E40000-0x0000000002E56000-memory.dmp

Filesize
88KB

Download
memory/3408-83-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/3408-57-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/3408-39-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/3408-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download