amadey | 5a85a640119e6cad9084970e29457d5c61ce4e4d56eec0c2d5867257ea8f49cd

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2023 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe
Size

1.4MB
MD5

f3954f09295d06335add88614fdc5c11
SHA1

3b77942e43cda301fcd783dbecb04b930c2ca92b
SHA256

58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d
SHA512

46ba920f3619edccdd6dcc982bf094d903879e5113029e2f84c32bfc3ab4ca936ba829fd264ced16c7faa286448a79c52719f80203b669f94260cdc092f7daad
SSDEEP

24576:Iy9zWQp41vJ7qEjXnxvfqf0kNIihSRYPNthwEuAGxzcOGyrs7MoAgp5:PLQvJ7bxvS8OhSwwEXGxzcOGyYjt

Score

10^/10

amadey redline smokeloader grome backdoor evasion infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/808-56-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Re0kN6.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	5Re0kN6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 13 IoCs

Processes:

pa3FP16.exeGP6lG17.exeAN9JP49.exekJ4Tc65.exe1Jz88Oa9.exe2xO2655.exe3ws19lb.exe4yb696Nn.exe5Re0kN6.exeexplothe.exe6Ne8Rh8.exeexplothe.exeexplothe.exe

pid	process
5096	pa3FP16.exe
4820	GP6lG17.exe
3584	AN9JP49.exe
3548	kJ4Tc65.exe
4068	1Jz88Oa9.exe
3920	2xO2655.exe
4080	3ws19lb.exe
3860	4yb696Nn.exe
4656	5Re0kN6.exe
4216	explothe.exe
1296	6Ne8Rh8.exe
4336	explothe.exe
8	explothe.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pa3FP16.exeGP6lG17.exeAN9JP49.exekJ4Tc65.exe58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pa3FP16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	GP6lG17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	AN9JP49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	kJ4Tc65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1Jz88Oa9.exe2xO2655.exe4yb696Nn.exe

description	pid	process	target process
PID 4068 set thread context of 4056	4068	1Jz88Oa9.exe	AppLaunch.exe
PID 3920 set thread context of 3792	3920	2xO2655.exe	AppLaunch.exe
PID 3860 set thread context of 808	3860	4yb696Nn.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4440 3792 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
4440	3792	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3ws19lb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3ws19lb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3ws19lb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3ws19lb.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3336 schtasks.exe

pid	process
3336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exe3ws19lb.exe

pid	process
4056	AppLaunch.exe
4056	AppLaunch.exe
4080	3ws19lb.exe
4080	3ws19lb.exe
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3160
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3ws19lb.exe

pid process

4080 3ws19lb.exe

pid	process
3160

pid	process
4080	3ws19lb.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4056	AppLaunch.exe
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3160

pid	process
3160

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exepa3FP16.exeGP6lG17.exeAN9JP49.exekJ4Tc65.exe1Jz88Oa9.exe2xO2655.exe4yb696Nn.exe5Re0kN6.exeexplothe.exe

description	pid	process	target process
PID 4004 wrote to memory of 5096	4004	58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe	pa3FP16.exe
PID 4004 wrote to memory of 5096	4004	58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe	pa3FP16.exe
PID 4004 wrote to memory of 5096	4004	58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe	pa3FP16.exe
PID 5096 wrote to memory of 4820	5096	pa3FP16.exe	GP6lG17.exe
PID 5096 wrote to memory of 4820	5096	pa3FP16.exe	GP6lG17.exe
PID 5096 wrote to memory of 4820	5096	pa3FP16.exe	GP6lG17.exe
PID 4820 wrote to memory of 3584	4820	GP6lG17.exe	AN9JP49.exe
PID 4820 wrote to memory of 3584	4820	GP6lG17.exe	AN9JP49.exe
PID 4820 wrote to memory of 3584	4820	GP6lG17.exe	AN9JP49.exe
PID 3584 wrote to memory of 3548	3584	AN9JP49.exe	kJ4Tc65.exe
PID 3584 wrote to memory of 3548	3584	AN9JP49.exe	kJ4Tc65.exe
PID 3584 wrote to memory of 3548	3584	AN9JP49.exe	kJ4Tc65.exe
PID 3548 wrote to memory of 4068	3548	kJ4Tc65.exe	1Jz88Oa9.exe
PID 3548 wrote to memory of 4068	3548	kJ4Tc65.exe	1Jz88Oa9.exe
PID 3548 wrote to memory of 4068	3548	kJ4Tc65.exe	1Jz88Oa9.exe
PID 4068 wrote to memory of 4056	4068	1Jz88Oa9.exe	AppLaunch.exe
PID 4068 wrote to memory of 4056	4068	1Jz88Oa9.exe	AppLaunch.exe
PID 4068 wrote to memory of 4056	4068	1Jz88Oa9.exe	AppLaunch.exe
PID 4068 wrote to memory of 4056	4068	1Jz88Oa9.exe	AppLaunch.exe
PID 4068 wrote to memory of 4056	4068	1Jz88Oa9.exe	AppLaunch.exe
PID 4068 wrote to memory of 4056	4068	1Jz88Oa9.exe	AppLaunch.exe
PID 4068 wrote to memory of 4056	4068	1Jz88Oa9.exe	AppLaunch.exe
PID 4068 wrote to memory of 4056	4068	1Jz88Oa9.exe	AppLaunch.exe
PID 3548 wrote to memory of 3920	3548	kJ4Tc65.exe	2xO2655.exe
PID 3548 wrote to memory of 3920	3548	kJ4Tc65.exe	2xO2655.exe
PID 3548 wrote to memory of 3920	3548	kJ4Tc65.exe	2xO2655.exe
PID 3920 wrote to memory of 3228	3920	2xO2655.exe	AppLaunch.exe
PID 3920 wrote to memory of 3228	3920	2xO2655.exe	AppLaunch.exe
PID 3920 wrote to memory of 3228	3920	2xO2655.exe	AppLaunch.exe
PID 3920 wrote to memory of 3792	3920	2xO2655.exe	AppLaunch.exe
PID 3920 wrote to memory of 3792	3920	2xO2655.exe	AppLaunch.exe
PID 3920 wrote to memory of 3792	3920	2xO2655.exe	AppLaunch.exe
PID 3920 wrote to memory of 3792	3920	2xO2655.exe	AppLaunch.exe
PID 3920 wrote to memory of 3792	3920	2xO2655.exe	AppLaunch.exe
PID 3920 wrote to memory of 3792	3920	2xO2655.exe	AppLaunch.exe
PID 3920 wrote to memory of 3792	3920	2xO2655.exe	AppLaunch.exe
PID 3920 wrote to memory of 3792	3920	2xO2655.exe	AppLaunch.exe
PID 3920 wrote to memory of 3792	3920	2xO2655.exe	AppLaunch.exe
PID 3920 wrote to memory of 3792	3920	2xO2655.exe	AppLaunch.exe
PID 3584 wrote to memory of 4080	3584	AN9JP49.exe	3ws19lb.exe
PID 3584 wrote to memory of 4080	3584	AN9JP49.exe	3ws19lb.exe
PID 3584 wrote to memory of 4080	3584	AN9JP49.exe	3ws19lb.exe
PID 4820 wrote to memory of 3860	4820	GP6lG17.exe	4yb696Nn.exe
PID 4820 wrote to memory of 3860	4820	GP6lG17.exe	4yb696Nn.exe
PID 4820 wrote to memory of 3860	4820	GP6lG17.exe	4yb696Nn.exe
PID 3860 wrote to memory of 808	3860	4yb696Nn.exe	AppLaunch.exe
PID 3860 wrote to memory of 808	3860	4yb696Nn.exe	AppLaunch.exe
PID 3860 wrote to memory of 808	3860	4yb696Nn.exe	AppLaunch.exe
PID 3860 wrote to memory of 808	3860	4yb696Nn.exe	AppLaunch.exe
PID 3860 wrote to memory of 808	3860	4yb696Nn.exe	AppLaunch.exe
PID 3860 wrote to memory of 808	3860	4yb696Nn.exe	AppLaunch.exe
PID 3860 wrote to memory of 808	3860	4yb696Nn.exe	AppLaunch.exe
PID 3860 wrote to memory of 808	3860	4yb696Nn.exe	AppLaunch.exe
PID 5096 wrote to memory of 4656	5096	pa3FP16.exe	5Re0kN6.exe
PID 5096 wrote to memory of 4656	5096	pa3FP16.exe	5Re0kN6.exe
PID 5096 wrote to memory of 4656	5096	pa3FP16.exe	5Re0kN6.exe
PID 4656 wrote to memory of 4216	4656	5Re0kN6.exe	explothe.exe
PID 4656 wrote to memory of 4216	4656	5Re0kN6.exe	explothe.exe
PID 4656 wrote to memory of 4216	4656	5Re0kN6.exe	explothe.exe
PID 4004 wrote to memory of 1296	4004	58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe	6Ne8Rh8.exe
PID 4004 wrote to memory of 1296	4004	58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe	6Ne8Rh8.exe
PID 4004 wrote to memory of 1296	4004	58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe	6Ne8Rh8.exe
PID 4216 wrote to memory of 3336	4216	explothe.exe	schtasks.exe
PID 4216 wrote to memory of 3336	4216	explothe.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe
"C:\Users\Admin\AppData\Local\Temp\58819797b2d944a25c3b7aa36af2fb16f7c8b4fd36cca4f2a241aa6d62b2945d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pa3FP16.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pa3FP16.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP6lG17.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP6lG17.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4820

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AN9JP49.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AN9JP49.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJ4Tc65.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJ4Tc65.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jz88Oa9.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jz88Oa9.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO2655.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO2655.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 204
8⤵
- Program crash
PID:4440

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ws19lb.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ws19lb.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4yb696Nn.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4yb696Nn.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Re0kN6.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Re0kN6.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
5⤵
- Creates scheduled task(s)
PID:3336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
5⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1464

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
6⤵
PID:2208

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
6⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3948

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
6⤵
PID:2752

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
6⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ne8Rh8.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ne8Rh8.exe
2⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3792 -ip 3792
1⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:8

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ne8Rh8.exe
Filesize
184KB

MD5
8ecde87cdcafbdb1c8765f1ae219207b

SHA1
867e1ae741528cba6e44d7f4bfaa5399200523fa

SHA256
c444717adad4d37ef5c768facd6ae66f7b25307e539a969b620a52192a7348d1

SHA512
5b94ec62128138363d29412e190827f5acd443baa7b636335eb0d327d39fa805590bcad19d3d857619eabbc07dc8e84aff5ea6f0a87a22652db9232fbe7dfe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ne8Rh8.exe
Filesize
184KB

MD5
8ecde87cdcafbdb1c8765f1ae219207b

SHA1
867e1ae741528cba6e44d7f4bfaa5399200523fa

SHA256
c444717adad4d37ef5c768facd6ae66f7b25307e539a969b620a52192a7348d1

SHA512
5b94ec62128138363d29412e190827f5acd443baa7b636335eb0d327d39fa805590bcad19d3d857619eabbc07dc8e84aff5ea6f0a87a22652db9232fbe7dfe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pa3FP16.exe
Filesize
1.2MB

MD5
8899a80842b05e93d25ab38d5b828787

SHA1
d58f9761f93d715a3d2f8cd01383cf425d64c312

SHA256
36376330a45a3d014b9e2ae1b7fd10f9dd07473bbad5d66cdecc8cc81eb1ba7a

SHA512
60a1c46af1b5e2c70d1cd5b5b49238c97031de8c668bc0e9e0a1c117047ac8d6f1b5b637dbeb4cbf0c03f7dc69fd9275ff90231d881a0df823547abe75f9b55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pa3FP16.exe
Filesize
1.2MB

MD5
8899a80842b05e93d25ab38d5b828787

SHA1
d58f9761f93d715a3d2f8cd01383cf425d64c312

SHA256
36376330a45a3d014b9e2ae1b7fd10f9dd07473bbad5d66cdecc8cc81eb1ba7a

SHA512
60a1c46af1b5e2c70d1cd5b5b49238c97031de8c668bc0e9e0a1c117047ac8d6f1b5b637dbeb4cbf0c03f7dc69fd9275ff90231d881a0df823547abe75f9b55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Re0kN6.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Re0kN6.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP6lG17.exe
Filesize
1.1MB

MD5
3b3d2da16ee4df6249afac2d10dc7394

SHA1
d59d118b9a173b9802644862a1897fb51883a952

SHA256
bf2a7b3cb4ab3d702b07326cd27ecd0dc85037c42251bfa866b74a15ee78b653

SHA512
8a322eb43079dbfb0afd516c24a4fef4ba196a023dfffbe6ce28603f51a5f9a2d9354b16d675452c86a7cfcdd83a3cf7545b9da27e537d7828f1db8a156b7d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP6lG17.exe
Filesize
1.1MB

MD5
3b3d2da16ee4df6249afac2d10dc7394

SHA1
d59d118b9a173b9802644862a1897fb51883a952

SHA256
bf2a7b3cb4ab3d702b07326cd27ecd0dc85037c42251bfa866b74a15ee78b653

SHA512
8a322eb43079dbfb0afd516c24a4fef4ba196a023dfffbe6ce28603f51a5f9a2d9354b16d675452c86a7cfcdd83a3cf7545b9da27e537d7828f1db8a156b7d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4yb696Nn.exe
Filesize
1.1MB

MD5
06603e636d6ec1da3ef47b40571920b4

SHA1
77b1a808a3daac10b743967d39aacd1714faad75

SHA256
2ac58de40c57a368a96743afb0ecf2c65f5e5f588bc5e02952d4be97e965d4b2

SHA512
c841ad63c2d5dcba840cdeab9f05b4f7e685fae92772a29d1df477cb4450e5ddffd7566d9665bc260974bb678b38b61e97c263972f9aefb0bbe65b342b20315c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4yb696Nn.exe
Filesize
1.1MB

MD5
06603e636d6ec1da3ef47b40571920b4

SHA1
77b1a808a3daac10b743967d39aacd1714faad75

SHA256
2ac58de40c57a368a96743afb0ecf2c65f5e5f588bc5e02952d4be97e965d4b2

SHA512
c841ad63c2d5dcba840cdeab9f05b4f7e685fae92772a29d1df477cb4450e5ddffd7566d9665bc260974bb678b38b61e97c263972f9aefb0bbe65b342b20315c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AN9JP49.exe
Filesize
668KB

MD5
db562732cfd3cb578775ca96d58334ef

SHA1
9ca32bb1b5d7da442801287bb177165730e3eed8

SHA256
c875c55135f0f453e03f9c6c5a76b82559101506a72ee71885a3f54462fe53d7

SHA512
c2fc51b47da4e2494c60a3ae0ecad326822fb28d9a5e301d5763cc8cfe65f7bd328a5652af2fbe3d41cb73892ad4e74a91a5712f640e4955f172ab4eb347ab50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AN9JP49.exe
Filesize
668KB

MD5
db562732cfd3cb578775ca96d58334ef

SHA1
9ca32bb1b5d7da442801287bb177165730e3eed8

SHA256
c875c55135f0f453e03f9c6c5a76b82559101506a72ee71885a3f54462fe53d7

SHA512
c2fc51b47da4e2494c60a3ae0ecad326822fb28d9a5e301d5763cc8cfe65f7bd328a5652af2fbe3d41cb73892ad4e74a91a5712f640e4955f172ab4eb347ab50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ws19lb.exe
Filesize
31KB

MD5
4afa640f032370b3b391107f6b7a3b93

SHA1
f9e541c25133a4f0729d0388d8ebbca4e21f09d7

SHA256
54cbb2a876af76713631e3a37e12f8a86f87c99bd4809314712b478031cfc3c2

SHA512
9149ac625e693251af43e83bd7caa8f46ada809ad346c81c1498d9503a7fe6dedb41751c84cd7a41dab51ed90c3cc7ae71a634401117f64c7f6fa63d10f3db42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ws19lb.exe
Filesize
31KB

MD5
4afa640f032370b3b391107f6b7a3b93

SHA1
f9e541c25133a4f0729d0388d8ebbca4e21f09d7

SHA256
54cbb2a876af76713631e3a37e12f8a86f87c99bd4809314712b478031cfc3c2

SHA512
9149ac625e693251af43e83bd7caa8f46ada809ad346c81c1498d9503a7fe6dedb41751c84cd7a41dab51ed90c3cc7ae71a634401117f64c7f6fa63d10f3db42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJ4Tc65.exe
Filesize
544KB

MD5
9fe45b14a7e9b92f62e8efcdffefa71e

SHA1
36a740fa43d0ac465109755a285c114d0cb6a0f4

SHA256
afbdc3c0e550f126ac5a5f1f5d5ec1f7c9cc1b6b42103386509419b1da402f52

SHA512
a5eef592e2aff7c3acd69f37b09cb53fc1017bef9e07b0c995f1c1131ff35ceac218fc696d999b0638a21c6ad2afd79e7413a06b2e99f8053f83830a44a11a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJ4Tc65.exe
Filesize
544KB

MD5
9fe45b14a7e9b92f62e8efcdffefa71e

SHA1
36a740fa43d0ac465109755a285c114d0cb6a0f4

SHA256
afbdc3c0e550f126ac5a5f1f5d5ec1f7c9cc1b6b42103386509419b1da402f52

SHA512
a5eef592e2aff7c3acd69f37b09cb53fc1017bef9e07b0c995f1c1131ff35ceac218fc696d999b0638a21c6ad2afd79e7413a06b2e99f8053f83830a44a11a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jz88Oa9.exe
Filesize
933KB

MD5
1abf943cc832dd82b467ffe4d2e8af20

SHA1
e9a506ed241d3244653941196baec1dc094e063e

SHA256
115313cab36d6b2828cbc8654e8ba73db8962940c2fac8aa1626b42ce1ee8a3c

SHA512
7b3b5f68e8b918bc3e9e84cfba91a237f9a39dc9f4430d148b362d1b0412cb6731c28a910e024c6ad1c43c6dc6fe721c59e363df873e5baef6e633c65a632237

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jz88Oa9.exe
Filesize
933KB

MD5
1abf943cc832dd82b467ffe4d2e8af20

SHA1
e9a506ed241d3244653941196baec1dc094e063e

SHA256
115313cab36d6b2828cbc8654e8ba73db8962940c2fac8aa1626b42ce1ee8a3c

SHA512
7b3b5f68e8b918bc3e9e84cfba91a237f9a39dc9f4430d148b362d1b0412cb6731c28a910e024c6ad1c43c6dc6fe721c59e363df873e5baef6e633c65a632237

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO2655.exe
Filesize
1.1MB

MD5
80c41da64f85220763bd1c1b6c8c5f13

SHA1
3b1c63bcbcea55eaaf29a9126c42c9cc8bdf4bef

SHA256
74f0fd2b74974231e9ebe21642ba9e9b9769fc7b3503305aa9e122e9821e0499

SHA512
5615fd765a7a111c5f3d948d546f3805a5093f014278a31bc2d2bdbf1fce85ba9b6089e3ce403b2b8871dc8e4345ac0a380f0a938c30421ea88b04260c530cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO2655.exe
Filesize
1.1MB

MD5
80c41da64f85220763bd1c1b6c8c5f13

SHA1
3b1c63bcbcea55eaaf29a9126c42c9cc8bdf4bef

SHA256
74f0fd2b74974231e9ebe21642ba9e9b9769fc7b3503305aa9e122e9821e0499

SHA512
5615fd765a7a111c5f3d948d546f3805a5093f014278a31bc2d2bdbf1fce85ba9b6089e3ce403b2b8871dc8e4345ac0a380f0a938c30421ea88b04260c530cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
1d7c965b458f0776362b5a89e87b551d

SHA1
cffb78cb2e918b7f5533d942b2dd49125a96376c

SHA256
5686f903876c420b3b781e799ba88985b2762e58bc3545f575a066f3a568923a

SHA512
74de432a0b4b0b4c88c985dde537347b33a982f3065d05183b247e08a4dd4716ff70068fc7a08abafb9413e633e3af03092744a9a04827e7ca277767f7bdc803

Download Submit
memory/808-75-0x0000000007710000-0x000000000771A000-memory.dmp

Filesize
40KB

Download
memory/808-80-0x00000000079B0000-0x0000000007ABA000-memory.dmp

Filesize
1.0MB

Download
memory/808-86-0x0000000007790000-0x00000000077A0000-memory.dmp

Filesize
64KB

Download
memory/808-85-0x0000000073C80000-0x0000000074430000-memory.dmp

Filesize
7.7MB

Download
memory/808-84-0x0000000007AC0000-0x0000000007B0C000-memory.dmp

Filesize
304KB

Download
memory/808-63-0x0000000007B60000-0x0000000008104000-memory.dmp

Filesize
5.6MB

Download
memory/808-64-0x0000000073C80000-0x0000000074430000-memory.dmp

Filesize
7.7MB

Download
memory/808-65-0x0000000007650000-0x00000000076E2000-memory.dmp

Filesize
584KB

Download
memory/808-67-0x0000000007790000-0x00000000077A0000-memory.dmp

Filesize
64KB

Download
memory/808-83-0x0000000007940000-0x000000000797C000-memory.dmp

Filesize
240KB

Download
memory/808-82-0x00000000078E0000-0x00000000078F2000-memory.dmp

Filesize
72KB

Download
memory/808-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/808-78-0x0000000008730000-0x0000000008D48000-memory.dmp

Filesize
6.1MB

Download
memory/3160-49-0x0000000002AE0000-0x0000000002AF6000-memory.dmp

Filesize
88KB

Download
memory/3792-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4056-81-0x0000000073C80000-0x0000000074430000-memory.dmp

Filesize
7.7MB

Download
memory/4056-60-0x0000000073C80000-0x0000000074430000-memory.dmp

Filesize
7.7MB

Download
memory/4056-39-0x0000000073C80000-0x0000000074430000-memory.dmp

Filesize
7.7MB

Download
memory/4080-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4080-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download