amadey | e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3

General

Target

e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe
Size

223KB
MD5

e5f1b768a60cb6457200a8056398f60b
SHA1

676c1edbeedffb2e18e40181ff241dfa774c285a
SHA256

e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3
SHA512

6ae768714ac49dcc232cad66181ba8e366582cd911ffbab3a7d8f4f76680f0ad9f63c48ef4eb47290a317357c970e094ba321c2dbb59a770c96c1f5dd669cf92
SSDEEP

3072:g2Zy6hujxaMXP3OwoBXYQk9guGjRN+WMvtOAM49uHZZFGGgjaaSpGq/B:g2nEaMmRBIYu6N+1N4HZx9p7

Score

10^/10

amadey smokeloader pub2 backdoor spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2022

C2

http://gxutc2c.com/tmp/index.php

http://proekt8.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F77F.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	F77F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Utsysc.exe

Deletes itself 1 IoCs

Processes:

pid process

3436
Executes dropped EXE 3 IoCs

Processes:

F77F.exeUtsysc.exeUtsysc.exe

pid process

1552 F77F.exe
2200 Utsysc.exe
1176 Utsysc.exe

pid	process
3436

pid	process
1552	F77F.exe
2200	Utsysc.exe
1176	Utsysc.exe

Loads dropped DLL 9 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
1956	rundll32.exe
1960	rundll32.exe
1352	rundll32.exe
944	rundll32.exe
1560	rundll32.exe
4964	rundll32.exe
908	rundll32.exe
752	rundll32.exe
4272	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4136	1552	WerFault.exe	F77F.exe
1124	1552	WerFault.exe	F77F.exe
4600	1552	WerFault.exe	F77F.exe
380	1552	WerFault.exe	F77F.exe
4860	1552	WerFault.exe	F77F.exe
3328	1552	WerFault.exe	F77F.exe
3676	1552	WerFault.exe	F77F.exe
2432	1552	WerFault.exe	F77F.exe
1352	1552	WerFault.exe	F77F.exe
2560	2200	WerFault.exe	Utsysc.exe
3508	2200	WerFault.exe	Utsysc.exe
4308	2200	WerFault.exe	Utsysc.exe
4448	2200	WerFault.exe	Utsysc.exe
2724	2200	WerFault.exe	Utsysc.exe
2404	2200	WerFault.exe	Utsysc.exe
1596	2200	WerFault.exe	Utsysc.exe
4572	2200	WerFault.exe	Utsysc.exe
1420	2200	WerFault.exe	Utsysc.exe
876	2200	WerFault.exe	Utsysc.exe
1156	2200	WerFault.exe	Utsysc.exe
5008	2200	WerFault.exe	Utsysc.exe
2640	2200	WerFault.exe	Utsysc.exe
3972	2200	WerFault.exe	Utsysc.exe
5108	2200	WerFault.exe	Utsysc.exe
2156	2200	WerFault.exe	Utsysc.exe
4524	2200	WerFault.exe	Utsysc.exe
412	2200	WerFault.exe	Utsysc.exe
4848	2200	WerFault.exe	Utsysc.exe
2408	2200	WerFault.exe	Utsysc.exe
4732	2200	WerFault.exe	Utsysc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5076 schtasks.exe

pid	process
5076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe

pid	process
4996	e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe
4996	e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe

pid process

4996 e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

F77F.exe

pid process

1552 F77F.exe

pid	process
1552	F77F.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

F77F.exeUtsysc.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3436 wrote to memory of 1552	3436		F77F.exe
PID 3436 wrote to memory of 1552	3436		F77F.exe
PID 3436 wrote to memory of 1552	3436		F77F.exe
PID 1552 wrote to memory of 2200	1552	F77F.exe	Utsysc.exe
PID 1552 wrote to memory of 2200	1552	F77F.exe	Utsysc.exe
PID 1552 wrote to memory of 2200	1552	F77F.exe	Utsysc.exe
PID 2200 wrote to memory of 5076	2200	Utsysc.exe	schtasks.exe
PID 2200 wrote to memory of 5076	2200	Utsysc.exe	schtasks.exe
PID 2200 wrote to memory of 5076	2200	Utsysc.exe	schtasks.exe
PID 2200 wrote to memory of 1956	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 1956	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 1956	2200	Utsysc.exe	rundll32.exe
PID 1956 wrote to memory of 1960	1956	rundll32.exe	rundll32.exe
PID 1956 wrote to memory of 1960	1956	rundll32.exe	rundll32.exe
PID 2200 wrote to memory of 1352	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 1352	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 1352	2200	Utsysc.exe	rundll32.exe
PID 1352 wrote to memory of 944	1352	rundll32.exe	rundll32.exe
PID 1352 wrote to memory of 944	1352	rundll32.exe	rundll32.exe
PID 2200 wrote to memory of 1560	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 1560	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 1560	2200	Utsysc.exe	rundll32.exe
PID 1560 wrote to memory of 4964	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 4964	1560	rundll32.exe	rundll32.exe
PID 2200 wrote to memory of 908	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 908	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 908	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 752	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 752	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 752	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 4272	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 4272	2200	Utsysc.exe	rundll32.exe
PID 2200 wrote to memory of 4272	2200	Utsysc.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe
"C:\Users\Admin\AppData\Local\Temp\e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4996

C:\Users\Admin\AppData\Local\Temp\F77F.exe
C:\Users\Admin\AppData\Local\Temp\F77F.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 584
2⤵
- Program crash
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 664
2⤵
- Program crash
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 688
2⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 832
2⤵
- Program crash
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 836
2⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 756
2⤵
- Program crash
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1112
2⤵
- Program crash
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1140
2⤵
- Program crash
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1212
2⤵
- Program crash
PID:1352

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 608
3⤵
- Program crash
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 744
3⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 808
3⤵
- Program crash
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 976
3⤵
- Program crash
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1008
3⤵
- Program crash
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 996
3⤵
- Program crash
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1052
3⤵
- Program crash
PID:1596

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 928
3⤵
- Program crash
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 684
3⤵
- Program crash
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 928
3⤵
- Program crash
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 808
3⤵
- Program crash
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1040
3⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1236
3⤵
- Program crash
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1036
3⤵
- Program crash
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1044
3⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1528
3⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1504
3⤵
- Program crash
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1516
3⤵
- Program crash
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1668
3⤵
- Program crash
PID:4848

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:1960

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:944

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:4964

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:908

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:752

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 928
3⤵
- Program crash
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1096
3⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1552 -ip 1552
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1552 -ip 1552
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1552 -ip 1552
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1552 -ip 1552
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1552 -ip 1552
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1552 -ip 1552
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1552 -ip 1552
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1552 -ip 1552
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1552 -ip 1552
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2200 -ip 2200
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2200 -ip 2200
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2200 -ip 2200
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2200 -ip 2200
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2200 -ip 2200
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2200 -ip 2200
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2200 -ip 2200
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2200 -ip 2200
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2200 -ip 2200
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2200 -ip 2200
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2200 -ip 2200
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2200 -ip 2200
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2200 -ip 2200
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 2200 -ip 2200
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 2200 -ip 2200
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 2200 -ip 2200
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 2200 -ip 2200
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 2200 -ip 2200
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 2200 -ip 2200
1⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 2200 -ip 2200
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 2200 -ip 2200
1⤵
PID:536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\803511929133
Filesize
76KB

MD5
5512efd380546f1869638267866d51d3

SHA1
15d575cced9b917ff6b924277626c3580c6b708c

SHA256
29efd62dfd728f3e71926233dbec59d47e28ea30067e249ff44723f6b9537d46

SHA512
0b2ac824b181410590307460a0914e1a1b74b17e31d3a28037a34fbd70972510f50a6edd37a62f0753d75702eab066629850ab7e36dd5ff91ccc50b9f72d68f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F77F.exe
Filesize
383KB

MD5
8051069ecde0f4c4c7b85597ee595863

SHA1
8ed4f41257b5b748d73733af7fb29b25f07ac7fa

SHA256
d5f94c6a15bdeddfd70f6b537b28f809e33afa68c183abb25d33015056885838

SHA512
21860a0113612f19620ca82afe07c839e2b74c1164eb241165f1ff4efaf5dc96862428f1fa824fa4831cc49ef41e5aa219e529827a2c9de102b68734548c9a81

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
memory/1176-78-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/1176-77-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1552-16-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1552-17-0x00000000020E0000-0x000000000214F000-memory.dmp

Filesize
444KB

Download
memory/1552-18-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1552-33-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1552-35-0x00000000020E0000-0x000000000214F000-memory.dmp

Filesize
444KB

Download
memory/2200-37-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2200-68-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2200-36-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2200-53-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2200-54-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2200-95-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2200-67-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2200-93-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2200-71-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2200-74-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2200-91-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3436-4-0x0000000002070000-0x0000000002086000-memory.dmp

Filesize
88KB

Download
memory/4996-2-0x00000000005A0000-0x00000000005AB000-memory.dmp

Filesize
44KB

Download
memory/4996-3-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4996-1-0x0000000000770000-0x0000000000870000-memory.dmp

Filesize
1024KB

Download
memory/4996-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads