amadey | b70d16a1fda7970ec06e9250b6215062d4a77b7c3bf52a75195ba8cce285643b

Analysis

max time kernel
142s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2023 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

468033c2e6a98660cda4376fa7b2b95c.exe
Size

436KB
MD5

468033c2e6a98660cda4376fa7b2b95c
SHA1

340529da72ad4aad5896cfdbd49d293028eb96d5
SHA256

b70d16a1fda7970ec06e9250b6215062d4a77b7c3bf52a75195ba8cce285643b
SHA512

25581dcb6f731eccece7604b0d5410c356144b6886e8a344fd6891ec9544994e8279ee35d5b8f7f1cc7911cd7073f4ef6917ffb820effc48b4bb0af6f0318342
SSDEEP

6144:KCS/nm7QpasI425Jyuu2LwKAFqfKxyiM0MxYhLcgvR:KCmsQpiufqfqTS

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

http://arrunda.ru

http://soetegem.com

http://tceducn.com

Attributes

strings_key
eb714cabd2548b4a03c45f723f838bdc
url_paths
/forum/index.php

rc4.plain

Extracted

Family

amadey

Version

4.11

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com

Attributes

install_dir
d4dd819322
install_file
Utsysc.exe
strings_key
8419b3024d6f72beef8af6915e592308
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

flow pid process

50 1304 rundll32.exe
53 1304 rundll32.exe
55 1340 rundll32.exe
57 4688 rundll32.exe
58 4688 rundll32.exe
62 1340 rundll32.exe
Downloads MZ/PE file

flow	pid	process
50	1304	rundll32.exe
53	1304	rundll32.exe
55	1340	rundll32.exe
57	4688	rundll32.exe
58	4688	rundll32.exe
62	1340	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

468033c2e6a98660cda4376fa7b2b95c.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	468033c2e6a98660cda4376fa7b2b95c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Utsysc.exe

Executes dropped EXE 3 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exe

pid process

3120 Utsysc.exe
4164 Utsysc.exe
3384 Utsysc.exe

pid	process
3120	Utsysc.exe
4164	Utsysc.exe
3384	Utsysc.exe

Loads dropped DLL 9 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
1776	rundll32.exe
4196	rundll32.exe
2856	rundll32.exe
1508	rundll32.exe
1680	rundll32.exe
224	rundll32.exe
1304	rundll32.exe
1340	rundll32.exe
4688	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 33 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5108	932	WerFault.exe	468033c2e6a98660cda4376fa7b2b95c.exe
4880	932	WerFault.exe	468033c2e6a98660cda4376fa7b2b95c.exe
2524	932	WerFault.exe	468033c2e6a98660cda4376fa7b2b95c.exe
4400	932	WerFault.exe	468033c2e6a98660cda4376fa7b2b95c.exe
1724	932	WerFault.exe	468033c2e6a98660cda4376fa7b2b95c.exe
3404	932	WerFault.exe	468033c2e6a98660cda4376fa7b2b95c.exe
928	932	WerFault.exe	468033c2e6a98660cda4376fa7b2b95c.exe
400	932	WerFault.exe	468033c2e6a98660cda4376fa7b2b95c.exe
4692	932	WerFault.exe	468033c2e6a98660cda4376fa7b2b95c.exe
4612	932	WerFault.exe	468033c2e6a98660cda4376fa7b2b95c.exe
2324	3120	WerFault.exe	Utsysc.exe
3680	3120	WerFault.exe	Utsysc.exe
4296	3120	WerFault.exe	Utsysc.exe
4708	3120	WerFault.exe	Utsysc.exe
2192	3120	WerFault.exe	Utsysc.exe
5008	3120	WerFault.exe	Utsysc.exe
2928	3120	WerFault.exe	Utsysc.exe
1172	3120	WerFault.exe	Utsysc.exe
1244	3120	WerFault.exe	Utsysc.exe
4776	3120	WerFault.exe	Utsysc.exe
4868	3120	WerFault.exe	Utsysc.exe
2100	3120	WerFault.exe	Utsysc.exe
960	3120	WerFault.exe	Utsysc.exe
3440	3120	WerFault.exe	Utsysc.exe
3920	3120	WerFault.exe	Utsysc.exe
4944	3120	WerFault.exe	Utsysc.exe
400	3120	WerFault.exe	Utsysc.exe
3596	3120	WerFault.exe	Utsysc.exe
4108	3120	WerFault.exe	Utsysc.exe
4216	4164	WerFault.exe	Utsysc.exe
2056	3120	WerFault.exe	Utsysc.exe
3692	3384	WerFault.exe	Utsysc.exe
4036	3120	WerFault.exe	Utsysc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2812 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

468033c2e6a98660cda4376fa7b2b95c.exe

pid process

932 468033c2e6a98660cda4376fa7b2b95c.exe

pid	process
2812	schtasks.exe

pid	process
932	468033c2e6a98660cda4376fa7b2b95c.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

468033c2e6a98660cda4376fa7b2b95c.exeUtsysc.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 932 wrote to memory of 3120	932	468033c2e6a98660cda4376fa7b2b95c.exe	Utsysc.exe
PID 932 wrote to memory of 3120	932	468033c2e6a98660cda4376fa7b2b95c.exe	Utsysc.exe
PID 932 wrote to memory of 3120	932	468033c2e6a98660cda4376fa7b2b95c.exe	Utsysc.exe
PID 3120 wrote to memory of 2812	3120	Utsysc.exe	schtasks.exe
PID 3120 wrote to memory of 2812	3120	Utsysc.exe	schtasks.exe
PID 3120 wrote to memory of 2812	3120	Utsysc.exe	schtasks.exe
PID 3120 wrote to memory of 1776	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 1776	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 1776	3120	Utsysc.exe	rundll32.exe
PID 1776 wrote to memory of 4196	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 4196	1776	rundll32.exe	rundll32.exe
PID 3120 wrote to memory of 2856	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 2856	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 2856	3120	Utsysc.exe	rundll32.exe
PID 2856 wrote to memory of 1508	2856	rundll32.exe	rundll32.exe
PID 2856 wrote to memory of 1508	2856	rundll32.exe	rundll32.exe
PID 3120 wrote to memory of 1680	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 1680	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 1680	3120	Utsysc.exe	rundll32.exe
PID 1680 wrote to memory of 224	1680	rundll32.exe	rundll32.exe
PID 1680 wrote to memory of 224	1680	rundll32.exe	rundll32.exe
PID 3120 wrote to memory of 1304	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 1304	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 1304	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 1340	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 1340	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 1340	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 4688	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 4688	3120	Utsysc.exe	rundll32.exe
PID 3120 wrote to memory of 4688	3120	Utsysc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\468033c2e6a98660cda4376fa7b2b95c.exe
"C:\Users\Admin\AppData\Local\Temp\468033c2e6a98660cda4376fa7b2b95c.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 608
2⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 680
2⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 748
2⤵
- Program crash
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 864
2⤵
- Program crash
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 892
2⤵
- Program crash
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 892
2⤵
- Program crash
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1120
2⤵
- Program crash
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1136
2⤵
- Program crash
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1156
2⤵
- Program crash
PID:4692

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 620
3⤵
- Program crash
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 796
3⤵
- Program crash
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 820
3⤵
- Program crash
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 980
3⤵
- Program crash
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1020
3⤵
- Program crash
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1020
3⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1060
3⤵
- Program crash
PID:2928

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 932
3⤵
- Program crash
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1232
3⤵
- Program crash
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1240
3⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1220
3⤵
- Program crash
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1244
3⤵
- Program crash
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1264
3⤵
- Program crash
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1280
3⤵
- Program crash
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1304
3⤵
- Program crash
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1156
3⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1188
3⤵
- Program crash
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1596
3⤵
- Program crash
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1580
3⤵
- Program crash
PID:4108

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:4196

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:1508

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:224

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1304

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1340

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1268
3⤵
- Program crash
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1080
3⤵
- Program crash
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1284
2⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 932 -ip 932
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 932 -ip 932
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 932 -ip 932
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 932 -ip 932
1⤵
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 932 -ip 932
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 932 -ip 932
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 932 -ip 932
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 932 -ip 932
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 932 -ip 932
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 932 -ip 932
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3120 -ip 3120
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3120 -ip 3120
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3120 -ip 3120
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3120 -ip 3120
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3120 -ip 3120
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3120 -ip 3120
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3120 -ip 3120
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3120 -ip 3120
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3120 -ip 3120
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3120 -ip 3120
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3120 -ip 3120
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3120 -ip 3120
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3120 -ip 3120
1⤵
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3120 -ip 3120
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3120 -ip 3120
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3120 -ip 3120
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3120 -ip 3120
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3120 -ip 3120
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3120 -ip 3120
1⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 444
2⤵
- Program crash
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4164 -ip 4164
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3120 -ip 3120
1⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 448
2⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3384 -ip 3384
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3120 -ip 3120
1⤵
PID:4900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\811856890180
Filesize
77KB

MD5
38aba7c31af8fe9a2af83772ab17aaa7

SHA1
3dfaa34df83f5891e01a282865d2f162787bba1d

SHA256
f219754cb43dd2d84371cdbcd132daf029c2aa02c4fab49b25b811bb41f10cce

SHA512
e57455ae4c246fb35432b0e10645bc8aa236bab7292e1c009c3d79741e1c17a1e23afcd762577fa98287d56fbe4befebfb9c1368620ca9571028a4778381c130

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
436KB

MD5
468033c2e6a98660cda4376fa7b2b95c

SHA1
340529da72ad4aad5896cfdbd49d293028eb96d5

SHA256
b70d16a1fda7970ec06e9250b6215062d4a77b7c3bf52a75195ba8cce285643b

SHA512
25581dcb6f731eccece7604b0d5410c356144b6886e8a344fd6891ec9544994e8279ee35d5b8f7f1cc7911cd7073f4ef6917ffb820effc48b4bb0af6f0318342

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
436KB

MD5
468033c2e6a98660cda4376fa7b2b95c

SHA1
340529da72ad4aad5896cfdbd49d293028eb96d5

SHA256
b70d16a1fda7970ec06e9250b6215062d4a77b7c3bf52a75195ba8cce285643b

SHA512
25581dcb6f731eccece7604b0d5410c356144b6886e8a344fd6891ec9544994e8279ee35d5b8f7f1cc7911cd7073f4ef6917ffb820effc48b4bb0af6f0318342

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
436KB

MD5
468033c2e6a98660cda4376fa7b2b95c

SHA1
340529da72ad4aad5896cfdbd49d293028eb96d5

SHA256
b70d16a1fda7970ec06e9250b6215062d4a77b7c3bf52a75195ba8cce285643b

SHA512
25581dcb6f731eccece7604b0d5410c356144b6886e8a344fd6891ec9544994e8279ee35d5b8f7f1cc7911cd7073f4ef6917ffb820effc48b4bb0af6f0318342

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
436KB

MD5
468033c2e6a98660cda4376fa7b2b95c

SHA1
340529da72ad4aad5896cfdbd49d293028eb96d5

SHA256
b70d16a1fda7970ec06e9250b6215062d4a77b7c3bf52a75195ba8cce285643b

SHA512
25581dcb6f731eccece7604b0d5410c356144b6886e8a344fd6891ec9544994e8279ee35d5b8f7f1cc7911cd7073f4ef6917ffb820effc48b4bb0af6f0318342

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
436KB

MD5
468033c2e6a98660cda4376fa7b2b95c

SHA1
340529da72ad4aad5896cfdbd49d293028eb96d5

SHA256
b70d16a1fda7970ec06e9250b6215062d4a77b7c3bf52a75195ba8cce285643b

SHA512
25581dcb6f731eccece7604b0d5410c356144b6886e8a344fd6891ec9544994e8279ee35d5b8f7f1cc7911cd7073f4ef6917ffb820effc48b4bb0af6f0318342

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
memory/932-2-0x0000000004830000-0x000000000489C000-memory.dmp

Filesize
432KB

Download
memory/932-1-0x0000000002C10000-0x0000000002D10000-memory.dmp

Filesize
1024KB

Download
memory/932-3-0x0000000000400000-0x0000000002AE4000-memory.dmp

Filesize
38.9MB

Download
memory/932-14-0x0000000000400000-0x0000000002AE4000-memory.dmp

Filesize
38.9MB

Download
memory/932-16-0x0000000004830000-0x000000000489C000-memory.dmp

Filesize
432KB

Download
memory/3120-61-0x0000000000400000-0x0000000002AE4000-memory.dmp

Filesize
38.9MB

Download
memory/3120-77-0x0000000000400000-0x0000000002AE4000-memory.dmp

Filesize
38.9MB

Download
memory/3120-49-0x0000000002D40000-0x0000000002E40000-memory.dmp

Filesize
1024KB

Download
memory/3120-19-0x0000000000400000-0x0000000002AE4000-memory.dmp

Filesize
38.9MB

Download
memory/3120-18-0x0000000002D40000-0x0000000002E40000-memory.dmp

Filesize
1024KB

Download
memory/3120-50-0x0000000000400000-0x0000000002AE4000-memory.dmp

Filesize
38.9MB

Download
memory/3120-73-0x0000000000400000-0x0000000002AE4000-memory.dmp

Filesize
38.9MB

Download
memory/3120-58-0x0000000000400000-0x0000000002AE4000-memory.dmp

Filesize
38.9MB

Download
memory/3120-75-0x0000000000400000-0x0000000002AE4000-memory.dmp

Filesize
38.9MB

Download
memory/3120-36-0x0000000000400000-0x0000000002AE4000-memory.dmp

Filesize
38.9MB

Download
memory/3384-81-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

Filesize
1024KB

Download
memory/3384-82-0x0000000000400000-0x0000000002AE4000-memory.dmp

Filesize
38.9MB

Download
memory/4164-55-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/4164-56-0x0000000000400000-0x0000000002AE4000-memory.dmp

Filesize
38.9MB

Download