amadey | 945e00ee877d6fd589c02c71e0786448bffd53ed2d473fee3ff3806551254a9e

Analysis

max time kernel
138s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe
Size

231KB
MD5

3ab03116a1d5dea017a632acfe5d56fb
SHA1

d38ba4572555498c08a9c3e7e1826cf337c318e9
SHA256

0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03
SHA512

c8c3c7145d01b4c2c94451c964e7bdf1344520be45ceaeea166e9a4ff1b3b18db41ca29ea9680aca92b08da895e1ee377e14684b1eb6748a6097c7d26d12d139
SSDEEP

3072:1nf/yLH4vqqRFbyoa1dWbWGWIpe3G5kZiVSHloV552I4:1f/yLYJFbyorbWGxpP5kZoz4

Score

10^/10

amadey asyncrat djvu redline smokeloader zgrat default logsdiller cloud (tg: @logsdillabot)pub1 st12 backdoor discovery infostealer persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdpo
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

45.15.156.60:12050

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

91.92.248.67:6606

91.92.248.67:7707

91.92.248.67:8808

Mutex

MOgiiF6Liim5

Attributes

delay
3
install
false
install_file
temp.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

ST12

185.172.128.33:38294

Extracted

Family

amadey

Version

4.17

http://185.196.10.34

Attributes

install_dir
eff1401c19
install_file
Dctooux.exe
strings_key
6e23b5eadc27bb0b2eaebdd4fed1beb2
url_paths
/b8sdjsdkS/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2776-129-0x0000000004D00000-0x0000000004DCA000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-130-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-131-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-133-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-135-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-139-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-141-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-137-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-143-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-145-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-147-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-149-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-151-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-153-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-155-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-157-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-161-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-159-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-165-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-167-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1
behavioral2/memory/2776-163-0x0000000004D00000-0x0000000004DC3000-memory.dmp	family_zgrat_v1

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1296-26-0x0000000002290000-0x00000000023AB000-memory.dmp	family_djvu
behavioral2/memory/3048-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3048-31-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3048-32-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3048-33-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3048-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1780-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1780-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1780-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/180-76-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral2/memory/500-773-0x0000000000BA0000-0x0000000000BF4000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\E1B4.exe	asyncrat
behavioral2/memory/4300-105-0x0000000000950000-0x0000000000962000-memory.dmp	asyncrat

Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

D831.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation D831.exe
Deletes itself 1 IoCs

Processes:

pid process

3428
Executes dropped EXE 11 IoCs

Processes:

C4A8.exeD831.exeD831.exeD831.exeD831.exeF2ED.exeB49.exeE1B4.exe4B7B.exe512A.exe53DA.exe

pid process

3156 C4A8.exe
1296 D831.exe
3048 D831.exe
2904 D831.exe
1780 D831.exe
2360 F2ED.exe
3544 B49.exe
4300 E1B4.exe
2424 4B7B.exe
4512 512A.exe
2776 53DA.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3988 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	D831.exe

pid	process
3428

pid	process
3156	C4A8.exe
1296	D831.exe
3048	D831.exe
2904	D831.exe
1780	D831.exe
2360	F2ED.exe
3544	B49.exe
4300	E1B4.exe
2424	4B7B.exe
4512	512A.exe
2776	53DA.exe

pid	process
3988	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

D831.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d312d382-3271-48f9-8840-16507f65bb5b\\D831.exe\" --AutoStart"	D831.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 api.2ip.ua
29 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

512A.exe

pid process

4512 512A.exe

flow	ioc
28	api.2ip.ua
29	api.2ip.ua

pid	process
4512	512A.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

D831.exeD831.exeB49.exe

description	pid	process	target process
PID 1296 set thread context of 3048	1296	D831.exe	D831.exe
PID 2904 set thread context of 1780	2904	D831.exe	D831.exe
PID 3544 set thread context of 180	3544	B49.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3912 1780 WerFault.exe D831.exe

pid	pid_target	process	target process
3912	1780	WerFault.exe	D831.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

C4A8.exe0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C4A8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C4A8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C4A8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe

Modifies registry class 6 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983843758-932321429-1636175382-1000\{A2BBECD5-B8FC-46E4-BFFF-8D1C372A6BFE}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe

pid	process
3904	0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe
3904	0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exeC4A8.exe

pid process

3904 0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe
3156 C4A8.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

RegAsm.exeE1B4.exe53DA.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeDebugPrivilege	180	RegAsm.exe
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeDebugPrivilege	4300	E1B4.exe
Token: SeDebugPrivilege	4300	E1B4.exe
Token: SeDebugPrivilege	2776	53DA.exe
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	2756	explorer.exe
Token: SeCreatePagefilePrivilege	2756	explorer.exe
Token: SeShutdownPrivilege	2756	explorer.exe
Token: SeCreatePagefilePrivilege	2756	explorer.exe
Token: SeShutdownPrivilege	2756	explorer.exe
Token: SeCreatePagefilePrivilege	2756	explorer.exe
Token: SeShutdownPrivilege	2756	explorer.exe
Token: SeCreatePagefilePrivilege	2756	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

explorer.exe

pid process

2756 explorer.exe
2756 explorer.exe
2756 explorer.exe
2756 explorer.exe
2756 explorer.exe
2756 explorer.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

explorer.exe

pid	process
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

512A.exe

pid process

4512 512A.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3428

pid	process
4512	512A.exe

pid	process
3428

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

D831.exeD831.exeD831.exeB49.exe

description	pid	process	target process
PID 3428 wrote to memory of 3156	3428		C4A8.exe
PID 3428 wrote to memory of 3156	3428		C4A8.exe
PID 3428 wrote to memory of 3156	3428		C4A8.exe
PID 3428 wrote to memory of 1296	3428		D831.exe
PID 3428 wrote to memory of 1296	3428		D831.exe
PID 3428 wrote to memory of 1296	3428		D831.exe
PID 1296 wrote to memory of 3048	1296	D831.exe	D831.exe
PID 1296 wrote to memory of 3048	1296	D831.exe	D831.exe
PID 1296 wrote to memory of 3048	1296	D831.exe	D831.exe
PID 1296 wrote to memory of 3048	1296	D831.exe	D831.exe
PID 1296 wrote to memory of 3048	1296	D831.exe	D831.exe
PID 1296 wrote to memory of 3048	1296	D831.exe	D831.exe
PID 1296 wrote to memory of 3048	1296	D831.exe	D831.exe
PID 1296 wrote to memory of 3048	1296	D831.exe	D831.exe
PID 1296 wrote to memory of 3048	1296	D831.exe	D831.exe
PID 1296 wrote to memory of 3048	1296	D831.exe	D831.exe
PID 3048 wrote to memory of 3988	3048	D831.exe	icacls.exe
PID 3048 wrote to memory of 3988	3048	D831.exe	icacls.exe
PID 3048 wrote to memory of 3988	3048	D831.exe	icacls.exe
PID 3048 wrote to memory of 2904	3048	D831.exe	D831.exe
PID 3048 wrote to memory of 2904	3048	D831.exe	D831.exe
PID 3048 wrote to memory of 2904	3048	D831.exe	D831.exe
PID 2904 wrote to memory of 1780	2904	D831.exe	D831.exe
PID 2904 wrote to memory of 1780	2904	D831.exe	D831.exe
PID 2904 wrote to memory of 1780	2904	D831.exe	D831.exe
PID 2904 wrote to memory of 1780	2904	D831.exe	D831.exe
PID 2904 wrote to memory of 1780	2904	D831.exe	D831.exe
PID 2904 wrote to memory of 1780	2904	D831.exe	D831.exe
PID 2904 wrote to memory of 1780	2904	D831.exe	D831.exe
PID 2904 wrote to memory of 1780	2904	D831.exe	D831.exe
PID 2904 wrote to memory of 1780	2904	D831.exe	D831.exe
PID 2904 wrote to memory of 1780	2904	D831.exe	D831.exe
PID 3428 wrote to memory of 2360	3428		F2ED.exe
PID 3428 wrote to memory of 2360	3428		F2ED.exe
PID 3428 wrote to memory of 2360	3428		F2ED.exe
PID 3428 wrote to memory of 3544	3428		B49.exe
PID 3428 wrote to memory of 3544	3428		B49.exe
PID 3428 wrote to memory of 3544	3428		B49.exe
PID 3544 wrote to memory of 180	3544	B49.exe	RegAsm.exe
PID 3544 wrote to memory of 180	3544	B49.exe	RegAsm.exe
PID 3544 wrote to memory of 180	3544	B49.exe	RegAsm.exe
PID 3544 wrote to memory of 180	3544	B49.exe	RegAsm.exe
PID 3544 wrote to memory of 180	3544	B49.exe	RegAsm.exe
PID 3544 wrote to memory of 180	3544	B49.exe	RegAsm.exe
PID 3544 wrote to memory of 180	3544	B49.exe	RegAsm.exe
PID 3544 wrote to memory of 180	3544	B49.exe	RegAsm.exe
PID 3428 wrote to memory of 4300	3428		E1B4.exe
PID 3428 wrote to memory of 4300	3428		E1B4.exe
PID 3428 wrote to memory of 4300	3428		E1B4.exe
PID 3428 wrote to memory of 2424	3428		4B7B.exe
PID 3428 wrote to memory of 2424	3428		4B7B.exe
PID 3428 wrote to memory of 4512	3428		512A.exe
PID 3428 wrote to memory of 4512	3428		512A.exe
PID 3428 wrote to memory of 4512	3428		512A.exe
PID 3428 wrote to memory of 2776	3428		53DA.exe
PID 3428 wrote to memory of 2776	3428		53DA.exe
PID 3428 wrote to memory of 2776	3428		53DA.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe
"C:\Users\Admin\AppData\Local\Temp\0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3904

C:\Users\Admin\AppData\Local\Temp\C4A8.exe
C:\Users\Admin\AppData\Local\Temp\C4A8.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3156

C:\Users\Admin\AppData\Local\Temp\D831.exe
C:\Users\Admin\AppData\Local\Temp\D831.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\D831.exe
C:\Users\Admin\AppData\Local\Temp\D831.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d312d382-3271-48f9-8840-16507f65bb5b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3988

C:\Users\Admin\AppData\Local\Temp\D831.exe
"C:\Users\Admin\AppData\Local\Temp\D831.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2904

C:\Users\Admin\AppData\Local\Temp\D831.exe
"C:\Users\Admin\AppData\Local\Temp\D831.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 568
5⤵
- Program crash
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1780 -ip 1780
1⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\F2ED.exe
C:\Users\Admin\AppData\Local\Temp\F2ED.exe
1⤵
- Executes dropped EXE
PID:2360

C:\Users\Admin\AppData\Local\Temp\B49.exe
C:\Users\Admin\AppData\Local\Temp\B49.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:180

C:\Users\Admin\AppData\Local\Temp\E1B4.exe
C:\Users\Admin\AppData\Local\Temp\E1B4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Users\Admin\AppData\Local\Temp\4B7B.exe
C:\Users\Admin\AppData\Local\Temp\4B7B.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
2⤵
PID:500

C:\Users\Admin\AppData\Local\Temp\512A.exe
C:\Users\Admin\AppData\Local\Temp\512A.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4512

C:\Users\Admin\AppData\Local\Temp\53DA.exe
C:\Users\Admin\AppData\Local\Temp\53DA.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Users\Admin\AppData\Local\Temp\53DA.exe
C:\Users\Admin\AppData\Local\Temp\53DA.exe
2⤵
PID:2520

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1300

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4500

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
1af595ccc6eb6fc50da263b1b56f6124

SHA1
6843b70ecb14c33709c6abf56b4766e08fbd0b7b

SHA256
904b2751181d601bad7740fc6dd88df654ac7eea99047a047ef9adc37fa95ff9

SHA512
e14099da90e8aa2ecf22dbe971243f092eeb41d2c305af568d8c6ddb47de800fed646d808c79d9f318fbfca26fc753237fce8eee57b7758e4f99e3c6f73f773f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
dd3f8648915506d9403c8cf923d58b42

SHA1
1e8824c686dd0812b666f59338c3c5d358a89826

SHA256
9f7c97c6acf8d0f8cf008a3b6fc4917cdc1068a2ae4b505a785eebcc1583a250

SHA512
028ca1fe2e876f311e04fe9b30fe3ee716381b78b7c153cae872b92e695c36d78d35754ca528c66a6fa382c830b97b0d9880fb28031982044a6f54d2373e56e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B7B.exe
Filesize
3.0MB

MD5
d1dded05e9a2c1d968fe762f2f019917

SHA1
a8ff48bdf61763d585598ea849f2013c1e97cf7c

SHA256
e6ae5b6acc33e5a048513f1a6b34992cd1f3e6f2e4b05d31ba713d53bee52d17

SHA512
a5affc442b99d381f912613b2e13dfb63e4ef23b7ad84b785129ad80ce1374f35e661da82816346b077c580427fe750306a397d3d6017f67c4206ecb23ddc6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\512A.exe
Filesize
1.2MB

MD5
63792b91bf9822080c057ede632bab8b

SHA1
805788878ed65575ff4cfc735b3b632fb17ecc67

SHA256
6c4486559292761204c43bdbda6dbc1c62cdb9adf8e7e69bb7f48db2a8e72f06

SHA512
8a28f54ee4589503ce4e2fa01004a670d47d5139087828161f77730cfa728c31717583944ad3feb734194b5855ab409ae5cf7f0445cb0b7cb8cc8facf20f93b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\53DA.exe
Filesize
763KB

MD5
14f7c4b98e2c837e555d030bfbe740c4

SHA1
695e50ac70754d449445343764d8a0c339323a04

SHA256
585892aac1dd2104c9dc5badf75efbc0d5f363456c084741af5e251402473de0

SHA512
c72065546378ea95362d370b6e5fe6aa75e197c2a156193057f6ffe0f4c010ad3a2d7b6d024b02f7aee91b97dd6740833911107bcdb8a7fae2316e0ef8228cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B49.exe
Filesize
380KB

MD5
d9ec192c82b59ae4dfae55218b19530f

SHA1
d7170975baf5f27ea0591a33f45cddb63574ac94

SHA256
52c5799b3c93ca11e9953e8a5712a82dd08b6cb0c17ff90cb1d2cb104411e7d4

SHA512
7ed6906f71ac045b2a4732935995abdfde68d88fe6041b19f114dfb95fb943450d5cbfbf1d185d3a2febb29c7d3493b9c1247a84925a5e7af41e1c710cc77838

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4A8.exe
Filesize
215KB

MD5
f73e509c71abc1b5c789834510e117c7

SHA1
de658fac7257ed1c10b11c1b96cee672ddb41277

SHA256
75bcc7144c36d2931b31364db4d3b3fc44b1ad803790ea1077f228efc715bb6d

SHA512
a176bfe67b62c770cb4c306c35d7e2c19de00adea9f6eb980d3eb6ee56ef4c29cb3b97bc8f73e6be59f30db408ad5c3d43dc5eb088016f7faf791ad4304c164d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D831.exe
Filesize
769KB

MD5
6b3c3b621f4964f232d23c7b32a2e486

SHA1
dc7a1111a7fa4380b42dfa8e6d1b22b338aa10fc

SHA256
5e19952acedb1da68215069d44ce1f3d48da10491151003148f1cceab03f1073

SHA512
78b0b893295e5c8c811618638bfb9fcca2daef20b209ef4f0aeb400372b9827ff8b01325427ee41091dfb9d6b3c334510a6f2b4cccf407970cf72adb0bb2b293

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1B4.exe
Filesize
45KB

MD5
29aa4c2cb6e7ce8a61dfa8de608fb7dc

SHA1
110fed633d526e1a135e4a0a5c65eddbc259e8fe

SHA256
06e1c42823b4ba89015c15d6d5ac83649aab4e54d8384993eaf76d4252a59806

SHA512
4a11b7e954c0c4cbf0ecabf8dc034b10d62680c318042473739cfef65ed0cab16fbdc647588cf18abe5fe942589e442090450d2058c77e6ca1ea2b9d35dc4e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2ED.exe
Filesize
5.3MB

MD5
2b82eb950c4b07624724358abaee1e17

SHA1
35b7e43f3e60c7c9423773458715f65d010c854e

SHA256
883e014f638041cc942d1125a65846156b6a0af20f3a27883817ecc2ab0d6727

SHA512
2099a58cfd73290572793c6a9f36b5f3fdb20117eb601dfd7f62246465901cc56449c6a5e6a852a383d7a44534221aca91405ef2a6f96c76ad30ad82f16f24af

Download Submit
memory/180-97-0x0000000008970000-0x0000000008E9C000-memory.dmp

Filesize
5.2MB

Download
memory/180-94-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/180-82-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/180-83-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/180-76-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/180-99-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/180-81-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/180-96-0x0000000008270000-0x0000000008432000-memory.dmp

Filesize
1.8MB

Download
memory/180-95-0x0000000008050000-0x00000000080A0000-memory.dmp

Filesize
320KB

Download
memory/180-85-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/180-86-0x00000000055F0000-0x00000000055FA000-memory.dmp

Filesize
40KB

Download
memory/180-87-0x0000000006710000-0x0000000006D28000-memory.dmp

Filesize
6.1MB

Download
memory/180-88-0x00000000060F0000-0x00000000061FA000-memory.dmp

Filesize
1.0MB

Download
memory/180-89-0x00000000059C0000-0x00000000059D2000-memory.dmp

Filesize
72KB

Download
memory/180-91-0x0000000005A60000-0x0000000005AAC000-memory.dmp

Filesize
304KB

Download
memory/180-90-0x00000000059E0000-0x0000000005A1C000-memory.dmp

Filesize
240KB

Download
memory/500-779-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/500-785-0x0000000005880000-0x00000000058CC000-memory.dmp

Filesize
304KB

Download
memory/500-773-0x0000000000BA0000-0x0000000000BF4000-memory.dmp

Filesize
336KB

Download
memory/500-772-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/1296-26-0x0000000002290000-0x00000000023AB000-memory.dmp

Filesize
1.1MB

Download
memory/1296-24-0x0000000002110000-0x00000000021B2000-memory.dmp

Filesize
648KB

Download
memory/1780-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1780-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1780-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2360-61-0x0000000000F90000-0x0000000001844000-memory.dmp

Filesize
8.7MB

Download
memory/2360-60-0x0000000000F90000-0x0000000001844000-memory.dmp

Filesize
8.7MB

Download
memory/2360-84-0x0000000000F90000-0x0000000001844000-memory.dmp

Filesize
8.7MB

Download
memory/2360-59-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2360-93-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2360-64-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2360-63-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2520-1100-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2520-1095-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2776-159-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-165-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-1094-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/2776-1088-0x0000000005020000-0x000000000506C000-memory.dmp

Filesize
304KB

Download
memory/2776-1087-0x0000000004FC0000-0x0000000005020000-memory.dmp

Filesize
384KB

Download
memory/2776-1086-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/2776-163-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-167-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-161-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-157-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-155-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-153-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-151-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-149-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-147-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-145-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-143-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-137-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-141-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-125-0x0000000000320000-0x00000000003E6000-memory.dmp

Filesize
792KB

Download
memory/2776-127-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2776-126-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/2776-128-0x0000000004C10000-0x0000000004CD8000-memory.dmp

Filesize
800KB

Download
memory/2776-129-0x0000000004D00000-0x0000000004DCA000-memory.dmp

Filesize
808KB

Download
memory/2776-130-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-131-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-133-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-135-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2776-139-0x0000000004D00000-0x0000000004DC3000-memory.dmp

Filesize
780KB

Download
memory/2904-46-0x00000000021E0000-0x0000000002277000-memory.dmp

Filesize
604KB

Download
memory/3048-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3048-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3048-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3048-32-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3048-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3156-16-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/3156-27-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3156-17-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3428-23-0x0000000002640000-0x0000000002656000-memory.dmp

Filesize
88KB

Download
memory/3428-4-0x0000000002920000-0x0000000002936000-memory.dmp

Filesize
88KB

Download
memory/3544-100-0x0000000002DD0000-0x0000000004DD0000-memory.dmp

Filesize
32.0MB

Download
memory/3544-80-0x0000000002DD0000-0x0000000004DD0000-memory.dmp

Filesize
32.0MB

Download
memory/3544-70-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/3544-69-0x0000000000890000-0x00000000008F4000-memory.dmp

Filesize
400KB

Download
memory/3544-73-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/3544-79-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/3904-1-0x0000000000A90000-0x0000000000B90000-memory.dmp

Filesize
1024KB

Download
memory/3904-5-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/3904-3-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/3904-2-0x0000000000A00000-0x0000000000A0B000-memory.dmp

Filesize
44KB

Download
memory/4300-105-0x0000000000950000-0x0000000000962000-memory.dmp

Filesize
72KB

Download
memory/4300-106-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/4300-107-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/4300-108-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/4300-109-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/4512-119-0x00000000004F0000-0x00000000009D3000-memory.dmp

Filesize
4.9MB

Download