amadey | ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387

General

Target

ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe
Size

217KB
MD5

d722704eff46ac5ca68723e9d35e9c81
SHA1

c08f9166337b98a774fd43b771c652bead0b57af
SHA256

ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387
SHA512

80f2c9d8e5f630e1b2b511a7460a31c4b98ff8e628fecba33546205a00c11b5638a484c559b7c466cb7d2f2bc9f92b791fa7ab4e7d15cc55c4a0ff65de7a0e9b
SSDEEP

6144:DHfZ8S+RSDnm9WwgFyzE9P08R5HYjWjm:TfZ8S+ILm9PgFyzO08R5f

Score

10^/10

amadey smokeloader pub1 backdoor spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C20.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	C20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	Utsysc.exe

Deletes itself 1 IoCs

Processes:

pid process

3520
Executes dropped EXE 3 IoCs

Processes:

C20.exeUtsysc.exeUtsysc.exe

pid process

3900 C20.exe
324 Utsysc.exe
3048 Utsysc.exe

pid	process
3520

pid	process
3900	C20.exe
324	Utsysc.exe
3048	Utsysc.exe

Loads dropped DLL 9 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
2000	rundll32.exe
2972	rundll32.exe
3516	rundll32.exe
1532	rundll32.exe
3588	rundll32.exe
3392	rundll32.exe
3488	rundll32.exe
1860	rundll32.exe
1356	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3720	3900	WerFault.exe	C20.exe
4780	3900	WerFault.exe	C20.exe
4772	3900	WerFault.exe	C20.exe
2952	3900	WerFault.exe	C20.exe
2908	3900	WerFault.exe	C20.exe
3800	3900	WerFault.exe	C20.exe
3616	3900	WerFault.exe	C20.exe
5032	3900	WerFault.exe	C20.exe
820	3900	WerFault.exe	C20.exe
4816	3900	WerFault.exe	C20.exe
4332	324	WerFault.exe	Utsysc.exe
4536	324	WerFault.exe	Utsysc.exe
208	324	WerFault.exe	Utsysc.exe
1392	324	WerFault.exe	Utsysc.exe
2384	324	WerFault.exe	Utsysc.exe
3436	324	WerFault.exe	Utsysc.exe
236	324	WerFault.exe	Utsysc.exe
3696	324	WerFault.exe	Utsysc.exe
1076	324	WerFault.exe	Utsysc.exe
2612	324	WerFault.exe	Utsysc.exe
5028	324	WerFault.exe	Utsysc.exe
4068	324	WerFault.exe	Utsysc.exe
2948	324	WerFault.exe	Utsysc.exe
5056	324	WerFault.exe	Utsysc.exe
2780	324	WerFault.exe	Utsysc.exe
4464	324	WerFault.exe	Utsysc.exe
1880	324	WerFault.exe	Utsysc.exe
4264	324	WerFault.exe	Utsysc.exe
2920	324	WerFault.exe	Utsysc.exe
2816	3048	WerFault.exe	Utsysc.exe
4600	324	WerFault.exe	Utsysc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4032 schtasks.exe

pid	process
4032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe

pid	process
208	ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe
208	ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe

pid process

208 ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520
Token: SeShutdownPrivilege	3520
Token: SeCreatePagefilePrivilege	3520

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

C20.exe

pid process

3900 C20.exe

pid	process
3900	C20.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

C20.exeUtsysc.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3520 wrote to memory of 3900	3520		C20.exe
PID 3520 wrote to memory of 3900	3520		C20.exe
PID 3520 wrote to memory of 3900	3520		C20.exe
PID 3900 wrote to memory of 324	3900	C20.exe	Utsysc.exe
PID 3900 wrote to memory of 324	3900	C20.exe	Utsysc.exe
PID 3900 wrote to memory of 324	3900	C20.exe	Utsysc.exe
PID 324 wrote to memory of 4032	324	Utsysc.exe	schtasks.exe
PID 324 wrote to memory of 4032	324	Utsysc.exe	schtasks.exe
PID 324 wrote to memory of 4032	324	Utsysc.exe	schtasks.exe
PID 324 wrote to memory of 2000	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 2000	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 2000	324	Utsysc.exe	rundll32.exe
PID 2000 wrote to memory of 2972	2000	rundll32.exe	rundll32.exe
PID 2000 wrote to memory of 2972	2000	rundll32.exe	rundll32.exe
PID 324 wrote to memory of 3516	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 3516	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 3516	324	Utsysc.exe	rundll32.exe
PID 3516 wrote to memory of 1532	3516	rundll32.exe	rundll32.exe
PID 3516 wrote to memory of 1532	3516	rundll32.exe	rundll32.exe
PID 324 wrote to memory of 3588	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 3588	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 3588	324	Utsysc.exe	rundll32.exe
PID 3588 wrote to memory of 3392	3588	rundll32.exe	rundll32.exe
PID 3588 wrote to memory of 3392	3588	rundll32.exe	rundll32.exe
PID 324 wrote to memory of 3488	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 3488	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 3488	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 1860	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 1860	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 1860	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 1356	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 1356	324	Utsysc.exe	rundll32.exe
PID 324 wrote to memory of 1356	324	Utsysc.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe
"C:\Users\Admin\AppData\Local\Temp\ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:208

C:\Users\Admin\AppData\Local\Temp\C20.exe
C:\Users\Admin\AppData\Local\Temp\C20.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 584
2⤵
- Program crash
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 664
2⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 732
2⤵
- Program crash
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 860
2⤵
- Program crash
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 868
2⤵
- Program crash
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 868
2⤵
- Program crash
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1056
2⤵
- Program crash
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1160
2⤵
- Program crash
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1136
2⤵
- Program crash
PID:820

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 604
3⤵
- Program crash
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 792
3⤵
- Program crash
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 928
3⤵
- Program crash
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1012
3⤵
- Program crash
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 936
3⤵
- Program crash
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 936
3⤵
- Program crash
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 996
3⤵
- Program crash
PID:236

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 916
3⤵
- Program crash
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1184
3⤵
- Program crash
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 640
3⤵
- Program crash
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 692
3⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1200
3⤵
- Program crash
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 688
3⤵
- Program crash
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 684
3⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1192
3⤵
- Program crash
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1452
3⤵
- Program crash
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1656
3⤵
- Program crash
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1656
3⤵
- Program crash
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1464
3⤵
- Program crash
PID:2920

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:2972

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:1532

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:3392

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:3488

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:1860

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1560
3⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 596
2⤵
- Program crash
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3900 -ip 3900
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3900 -ip 3900
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3900 -ip 3900
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3900 -ip 3900
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3900 -ip 3900
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3900 -ip 3900
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3900 -ip 3900
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3900 -ip 3900
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3900 -ip 3900
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3900 -ip 3900
1⤵
PID:492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 324 -ip 324
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 324 -ip 324
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 324 -ip 324
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 324 -ip 324
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 324 -ip 324
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 324 -ip 324
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 324 -ip 324
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 324 -ip 324
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 324 -ip 324
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 324 -ip 324
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 324 -ip 324
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 324 -ip 324
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 324 -ip 324
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 324 -ip 324
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 324 -ip 324
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 324 -ip 324
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 324 -ip 324
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 324 -ip 324
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 324 -ip 324
1⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 432
2⤵
- Program crash
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3048 -ip 3048
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 324 -ip 324
1⤵
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\815711207184

Filesize
75KB

MD5
eecaa1b7b28d733354b5518fea6b1a11

SHA1
ad53f4767453062d801363ec086e9bad19336013

SHA256
43f2d9a4bc567711f81756a59c7d9c867afad72779a8392fc9f8080360440503

SHA512
1c27f19445eedb93523da76982dc24aa5cb372039b08cc8aa1408b3629487ecd3c1012c5d4b639a1a245bead6b825956e94819f4d576af742cf69323bc44a6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C20.exe

Filesize
156KB

MD5
193c317b333b536d081e9a2952c1bbc5

SHA1
46468dfae59a2640de78a7cecb18a24303ffdaad

SHA256
feffdd8bbaba7155fd5c595247bc528e25fe0f2fa0625d718550f349bace0576

SHA512
f69aa886fe3811cc9e0a7c7362a4860c8ee766e5d21c80ac020309cdcd7cde47abe420f1b7c0794b377389e5282df6e7055db5c502911bbd8a5a46ea5823c804

Download Submit
C:\Users\Admin\AppData\Local\Temp\C20.exe

Filesize
395KB

MD5
1e42a52c9909dd21636bba1b0f00f8e8

SHA1
93f8c29dd3b615a97ef35b5bb3d5523bfe21d613

SHA256
0747f384a5cf12ae118c194c48a59dc7dcbb23c75b9d7d43b1cb03be8c711719

SHA512
400451711cf3ce5f756f63008a4461271f86faeeaa0dcfbc24caacb98f5aef7c61d897038f38f58b770d95ffc420da2fb686b8934eb573c13ce11910c6f7cf40

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
memory/208-2-0x0000000002D80000-0x0000000002D8B000-memory.dmp

Filesize
44KB

Download
memory/208-3-0x0000000000400000-0x0000000002BE4000-memory.dmp

Filesize
39.9MB

Download
memory/208-5-0x0000000000400000-0x0000000002BE4000-memory.dmp

Filesize
39.9MB

Download
memory/208-1-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

Filesize
1024KB

Download
memory/324-74-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/324-67-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/324-35-0x0000000004850000-0x00000000048BF000-memory.dmp

Filesize
444KB

Download
memory/324-37-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/324-95-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/324-38-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/324-89-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/324-54-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/324-86-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/324-34-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/324-68-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/324-71-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/3048-91-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

Filesize
1024KB

Download
memory/3048-92-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/3520-4-0x0000000002C60000-0x0000000002C76000-memory.dmp

Filesize
88KB

Download
memory/3900-16-0x0000000002CD0000-0x0000000002DD0000-memory.dmp

Filesize
1024KB

Download
memory/3900-17-0x0000000004880000-0x00000000048EF000-memory.dmp

Filesize
444KB

Download
memory/3900-18-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/3900-36-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads