amadey | b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-02-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe
Size

217KB
MD5

ea8dcf2eee76f737f8796bdbf7e33a06
SHA1

a30a310bf397ac2c5c15df009f12c91b7a2641b4
SHA256

b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8
SHA512

305c1b28f68dff88cf0006d61c3210e9b32f32490ddfcd361fc0923214e39aacd936a1f3a195b6fd3a876f5eacf054ce22d15b6fcc254024d33f5f6e13ea1e3b
SSDEEP

3072:d3tinQnUoC0pvo/Uw/3BofIclBYKw6tkp3P00gpUCL5HVFUjWjJkp:d3cnQnO+vNlBH1t4P0a65HYjWjm

Score

10^/10

amadey dcrat djvu smokeloader vidar 13bd7290c1961db27b4ede41bfbf4c5e tfd5 backdoor discovery evasion infostealer persistence ransomware rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

tfd5

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.lkhy
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.8

Botnet

13bd7290c1961db27b4ede41bfbf4c5e

https://t.me/karl3on

https://steamcommunity.com/profiles/76561199637071579

Attributes

profile_id_v2
13bd7290c1961db27b4ede41bfbf4c5e
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe8E1D.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2b69a920-6038-4c3b-b4ee-ef90ea365707\\8E1D.exe\" --AutoStart"	8E1D.exe
1560	schtasks.exe
2108	schtasks.exe

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2876-127-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/1208-131-0x0000000000260000-0x0000000000291000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-132-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-133-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-280-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2508-28-0x00000000045E0000-0x00000000046FB000-memory.dmp	family_djvu
behavioral1/memory/2580-33-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2580-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2580-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2580-76-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-86-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-87-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-104-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-103-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-108-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-110-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-111-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-134-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-145-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Detects Windows executables referencing non-Windows User-Agents 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2876-127-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2876-132-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2876-133-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2876-280-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2876-127-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2876-132-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2876-133-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2876-280-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

438.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 438.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	438.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

438.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	438.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	438.exe

Deletes itself 1 IoCs

Processes:

pid process

1392

pid	process
1392

Executes dropped EXE 15 IoCs

Processes:

8E1D.exe8E1D.exe8E1D.exe8E1D.exebuild2.exebuild2.exebuild3.exebuild3.exeD490.exemstsca.exemstsca.exe438.exe967.exemstsca.exemstsca.exe

pid	process
2508	8E1D.exe
2580	8E1D.exe
2792	8E1D.exe
2844	8E1D.exe
1208	build2.exe
2876	build2.exe
1660	build3.exe
1224	build3.exe
1780	D490.exe
2800	mstsca.exe
1668	mstsca.exe
2732	438.exe
2424	967.exe
2556	mstsca.exe
2792	mstsca.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

438.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Wine 438.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Wine	438.exe

Loads dropped DLL 17 IoCs

Processes:

8E1D.exe8E1D.exe8E1D.exe8E1D.exeWerFault.exeWerFault.exe

pid	process
2508	8E1D.exe
2580	8E1D.exe
2580	8E1D.exe
2792	8E1D.exe
2844	8E1D.exe
2844	8E1D.exe
2844	8E1D.exe
2844	8E1D.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1296 icacls.exe

pid	process
1296	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8E1D.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2b69a920-6038-4c3b-b4ee-ef90ea365707\\8E1D.exe\" --AutoStart"	8E1D.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 api.2ip.ua
22 api.2ip.ua
42 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

438.exe

pid process

2732 438.exe

flow	ioc
20	api.2ip.ua
22	api.2ip.ua
42	api.2ip.ua

pid	process
2732	438.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

8E1D.exe8E1D.exebuild2.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2508 set thread context of 2580	2508	8E1D.exe	8E1D.exe
PID 2792 set thread context of 2844	2792	8E1D.exe	8E1D.exe
PID 1208 set thread context of 2876	1208	build2.exe	build2.exe
PID 1660 set thread context of 1224	1660	build3.exe	build3.exe
PID 2800 set thread context of 1668	2800	mstsca.exe	mstsca.exe
PID 2556 set thread context of 2792	2556	mstsca.exe	mstsca.exe

Drops file in Windows directory 1 IoCs

Processes:

438.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job 438.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2604 2876 WerFault.exe build2.exe
2564 1780 WerFault.exe D490.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	438.exe

pid	pid_target	process	target process
2604	2876	WerFault.exe	build2.exe
2564	1780	WerFault.exe	D490.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1560 schtasks.exe
2108 schtasks.exe

pid	process
1560	schtasks.exe
2108	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

8E1D.exe8E1D.exebuild2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	8E1D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	8E1D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	8E1D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	8E1D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	8E1D.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe

pid	process
2072	b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe
2072	b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe

pid process

2072 b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1392
Token: SeShutdownPrivilege 1392
Token: SeShutdownPrivilege 1392
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

438.exe

pid process

1392
1392
2732 438.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1392
1392

description	pid	process
Token: SeShutdownPrivilege	1392
Token: SeShutdownPrivilege	1392
Token: SeShutdownPrivilege	1392

pid	process
1392
1392
2732	438.exe

pid	process
1392
1392

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe8E1D.exe8E1D.exe8E1D.exe8E1D.exebuild2.exebuild3.exe

description	pid	process	target process
PID 1392 wrote to memory of 2880	1392		cmd.exe
PID 1392 wrote to memory of 2880	1392		cmd.exe
PID 1392 wrote to memory of 2880	1392		cmd.exe
PID 2880 wrote to memory of 2728	2880	cmd.exe	reg.exe
PID 2880 wrote to memory of 2728	2880	cmd.exe	reg.exe
PID 2880 wrote to memory of 2728	2880	cmd.exe	reg.exe
PID 1392 wrote to memory of 2508	1392		8E1D.exe
PID 1392 wrote to memory of 2508	1392		8E1D.exe
PID 1392 wrote to memory of 2508	1392		8E1D.exe
PID 1392 wrote to memory of 2508	1392		8E1D.exe
PID 2508 wrote to memory of 2580	2508	8E1D.exe	8E1D.exe
PID 2508 wrote to memory of 2580	2508	8E1D.exe	8E1D.exe
PID 2508 wrote to memory of 2580	2508	8E1D.exe	8E1D.exe
PID 2508 wrote to memory of 2580	2508	8E1D.exe	8E1D.exe
PID 2508 wrote to memory of 2580	2508	8E1D.exe	8E1D.exe
PID 2508 wrote to memory of 2580	2508	8E1D.exe	8E1D.exe
PID 2508 wrote to memory of 2580	2508	8E1D.exe	8E1D.exe
PID 2508 wrote to memory of 2580	2508	8E1D.exe	8E1D.exe
PID 2508 wrote to memory of 2580	2508	8E1D.exe	8E1D.exe
PID 2508 wrote to memory of 2580	2508	8E1D.exe	8E1D.exe
PID 2508 wrote to memory of 2580	2508	8E1D.exe	8E1D.exe
PID 2580 wrote to memory of 1296	2580	8E1D.exe	icacls.exe
PID 2580 wrote to memory of 1296	2580	8E1D.exe	icacls.exe
PID 2580 wrote to memory of 1296	2580	8E1D.exe	icacls.exe
PID 2580 wrote to memory of 1296	2580	8E1D.exe	icacls.exe
PID 2580 wrote to memory of 2792	2580	8E1D.exe	8E1D.exe
PID 2580 wrote to memory of 2792	2580	8E1D.exe	8E1D.exe
PID 2580 wrote to memory of 2792	2580	8E1D.exe	8E1D.exe
PID 2580 wrote to memory of 2792	2580	8E1D.exe	8E1D.exe
PID 2792 wrote to memory of 2844	2792	8E1D.exe	8E1D.exe
PID 2792 wrote to memory of 2844	2792	8E1D.exe	8E1D.exe
PID 2792 wrote to memory of 2844	2792	8E1D.exe	8E1D.exe
PID 2792 wrote to memory of 2844	2792	8E1D.exe	8E1D.exe
PID 2792 wrote to memory of 2844	2792	8E1D.exe	8E1D.exe
PID 2792 wrote to memory of 2844	2792	8E1D.exe	8E1D.exe
PID 2792 wrote to memory of 2844	2792	8E1D.exe	8E1D.exe
PID 2792 wrote to memory of 2844	2792	8E1D.exe	8E1D.exe
PID 2792 wrote to memory of 2844	2792	8E1D.exe	8E1D.exe
PID 2792 wrote to memory of 2844	2792	8E1D.exe	8E1D.exe
PID 2792 wrote to memory of 2844	2792	8E1D.exe	8E1D.exe
PID 2844 wrote to memory of 1208	2844	8E1D.exe	build2.exe
PID 2844 wrote to memory of 1208	2844	8E1D.exe	build2.exe
PID 2844 wrote to memory of 1208	2844	8E1D.exe	build2.exe
PID 2844 wrote to memory of 1208	2844	8E1D.exe	build2.exe
PID 1208 wrote to memory of 2876	1208	build2.exe	build2.exe
PID 1208 wrote to memory of 2876	1208	build2.exe	build2.exe
PID 1208 wrote to memory of 2876	1208	build2.exe	build2.exe
PID 1208 wrote to memory of 2876	1208	build2.exe	build2.exe
PID 1208 wrote to memory of 2876	1208	build2.exe	build2.exe
PID 1208 wrote to memory of 2876	1208	build2.exe	build2.exe
PID 1208 wrote to memory of 2876	1208	build2.exe	build2.exe
PID 1208 wrote to memory of 2876	1208	build2.exe	build2.exe
PID 1208 wrote to memory of 2876	1208	build2.exe	build2.exe
PID 1208 wrote to memory of 2876	1208	build2.exe	build2.exe
PID 1208 wrote to memory of 2876	1208	build2.exe	build2.exe
PID 2844 wrote to memory of 1660	2844	8E1D.exe	build3.exe
PID 2844 wrote to memory of 1660	2844	8E1D.exe	build3.exe
PID 2844 wrote to memory of 1660	2844	8E1D.exe	build3.exe
PID 2844 wrote to memory of 1660	2844	8E1D.exe	build3.exe
PID 1660 wrote to memory of 1224	1660	build3.exe	build3.exe
PID 1660 wrote to memory of 1224	1660	build3.exe	build3.exe
PID 1660 wrote to memory of 1224	1660	build3.exe	build3.exe
PID 1660 wrote to memory of 1224	1660	build3.exe	build3.exe
PID 1660 wrote to memory of 1224	1660	build3.exe	build3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe
"C:\Users\Admin\AppData\Local\Temp\b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2072

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5E46.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:2728

C:\Users\Admin\AppData\Local\Temp\8E1D.exe
C:\Users\Admin\AppData\Local\Temp\8E1D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\8E1D.exe
  C:\Users\Admin\AppData\Local\Temp\8E1D.exe
  2⤵
  - DcRat
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\2b69a920-6038-4c3b-b4ee-ef90ea365707" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1296
- - C:\Users\Admin\AppData\Local\Temp\8E1D.exe
    "C:\Users\Admin\AppData\Local\Temp\8E1D.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\8E1D.exe
      "C:\Users\Admin\AppData\Local\Temp\8E1D.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Users\Admin\AppData\Local\df8a3037-f4eb-4f2f-a858-f3a9f82e3e21\build2.exe
        
        "C:\Users\Admin\AppData\Local\df8a3037-f4eb-4f2f-a858-f3a9f82e3e21\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Users\Admin\AppData\Local\df8a3037-f4eb-4f2f-a858-f3a9f82e3e21\build2.exe
        
        "C:\Users\Admin\AppData\Local\df8a3037-f4eb-4f2f-a858-f3a9f82e3e21\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:2876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1424
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2604
    - - C:\Users\Admin\AppData\Local\df8a3037-f4eb-4f2f-a858-f3a9f82e3e21\build3.exe
        
        "C:\Users\Admin\AppData\Local\df8a3037-f4eb-4f2f-a858-f3a9f82e3e21\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Users\Admin\AppData\Local\df8a3037-f4eb-4f2f-a858-f3a9f82e3e21\build3.exe
        
        "C:\Users\Admin\AppData\Local\df8a3037-f4eb-4f2f-a858-f3a9f82e3e21\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1560

C:\Users\Admin\AppData\Local\Temp\D490.exe
C:\Users\Admin\AppData\Local\Temp\D490.exe
1⤵
- Executes dropped EXE
PID:1780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 96
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2564

C:\Windows\system32\taskeng.exe
taskeng.exe {6299BF14-AE3F-4F58-9BD5-DE68D4558AEA} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
PID:2180
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2800
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:1668
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:2108
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2556
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2792

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E811.bat" "
1⤵
PID:1468
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:584

C:\Users\Admin\AppData\Local\Temp\438.exe
C:\Users\Admin\AppData\Local\Temp\438.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2732

C:\Users\Admin\AppData\Local\Temp\967.exe
C:\Users\Admin\AppData\Local\Temp\967.exe
1⤵
- Executes dropped EXE
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
486aebeeb76a792eeaf8ab052521a435

SHA1
ac8b734bc9a5afb32cbfec95387bfa655913a323

SHA256
70074beff23c35473462d486e1162bce89af86dae5123b6aab7bfbb6d9bf8e61

SHA512
5da5c0f18cd8b3e6233adcce9d97b25f5842ba8ed503c3b28b98d6c417ffd6f59f3375309ae2ac2fff2670c9cb547b5e465f0063ccd66ebbe61e17347ceee2cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
45235f1bca2951f342d1b0e68f4dc286

SHA1
dbbbd85d22e4bb9fa19cb192f833daaf3cdce49d

SHA256
d524e5f4cd389c293dedd658d714962ee02c1e826ef428372d18b7e275cda9ac

SHA512
486bed6e28979e793c328eab96151f279e8683ddf27337a7f82489148d8c933b78d0b6c42a182c3e0c78eb0757f179589876ca57eae8af1a84bcf2683a95800e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61010b6bc81ca29a29d5092a9b92323c

SHA1
51b441cfd4b107dbd21e97c5a8c9cb1eaafc2ac3

SHA256
2c273e3a007341b3824d8806accb70dbd2f99c131613d29f00f2c6abfe5c1d55

SHA512
9c0ac6dc511ae422369439390108d2875a2438bad4558972b18f788e5212fbc755da7b30b97975036cfa832a2cf90521c287ac47a0103fd2a2ad020f3ef63a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e218038c97e9dcc4c63f8f92c8601c5

SHA1
c4f7d91e238d647dd95648d4f8644e4aa94bdf34

SHA256
54c4cc7e5499651c096b370fa3441ffa5e4777db5ef9c5534475227023ce3831

SHA512
a9e359bf364dcf0985b29417dac360a916b5ee11e9d042cb7b4f519a0dff03cf83339dee8528a4c0539fd56148721ce6a7cfa8ba87bfa73201644ce327ac1256

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9de067e9ad164ac8a5daf21b42423793

SHA1
5fd6a9f7aad428c66e7867cde3d65ba6bc7b12cb

SHA256
4171f84baf75de7e9fc5b9734d5c56449e99057936350a0ac34053f544ebd58c

SHA512
f35ed7131821e335b9208446eea0cacae580337a95df12b531a107708be7784b4d745e580a6fd45c6abd727d0f11d7442a0f6252f71f240f09a5943e7a65354b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7992b264d3b6a16a63814e7a86007418

SHA1
24c83ae5552254ca6554f21e6b58329c8da65d26

SHA256
607cb63ff85e625b653cb67faefa0646f4055bae0ab5329ff2a23518f4131ae7

SHA512
6d56385b136e09ec13fa8e7a62e8624976994a6632436f9a87ecf7761ced789e9f04db0a93fbcba8029361ea9a4dec1a1bf699c7bbd4c6ef721e30928558202d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
5d36607ca3f5cc88b483dce71c7fe495

SHA1
1a1ca5602b7c6ddb9a963e8f11c9e72bdd1f8de2

SHA256
a0f4f0f07a9a5f5f1017eb6aa32ce25282228de0a9c3cf2be8ef779ed09e9afa

SHA512
f75728a0a67991858c182974de18116fb4ed852836c675f8b18c6e720c453da7ddf3221796942464547dec2dc9cabec0cdba2bf9188aaeb200aab22ec9366a68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c434794b74173f9d65b7d3247dfc7dbc

SHA1
2744a3a6b8849ca41f6ed65869250787f939b0aa

SHA256
2aa64074b344c6c4787f1a5d54a7e91d517fd3b4d65e5e9da7ea9c49b38549b5

SHA512
86152ea7711775ff13937ac70ef05cb5f6fcb7467c3fa9c7750f1d78f85dccb6230177d9e9803390707df7f72a97c17a2b3d0cc9a54e6857d1eba6ca50225e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\438.exe

Filesize
1.8MB

MD5
01cc26ecbfdeebceb71a8164da05fef3

SHA1
2bcadbcc1329fde8d7eb7b4ddee33a9690715b0a

SHA256
b8c3dd017ddb8ea416e886acf134b17e91c44b8ccc1eec03f760bb4b328ab00f

SHA512
006da3cbcca6bebfa82bb6d6d046e1a9a9a5bf8346bbc5ce30c1eb8b8249b930f9aaf8bbf92058183529e31827a8504f8f6b3710c0bb3e6a8a02b888e6766bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E46.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E1D.exe

Filesize
788KB

MD5
1e962c67893e14647c2b57a8b4fe25d4

SHA1
2f2ce07ed3712576d8629f42bc7d377cc5b2d62a

SHA256
c87c4bf8647258e7215f77f8b2ca29a4c507a2ff0f55f434cc3706f805291a3f

SHA512
1d256f3d66e252f54e46a56f01aca379d823d3e40af517604363a939084702e3ebb71eeed0c174ea608b4752b07f1f0493955f062167f0114462e06df58f1f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\967.exe

Filesize
63KB

MD5
cbfbeaf0a6e70056f43406053cd61f1e

SHA1
b7088a9f29b8ab84aedaffec81441580775d5393

SHA256
fa776a4e5e0653f7856a19c3a9fbdad306eb9365cb553bc223d8075be5f5cd3b

SHA512
2930b11123191108d66e1bba5cb43f34ca963c424f6dd9c61751db62cef3039773dd100c179909d30099953513ca6eb07e29732af7928d2602c35a8020271c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D490.exe

Filesize
6.3MB

MD5
b1e8d4d7dd26612c17eccbf66b280e7c

SHA1
97dd5e81a4014fb54ef5ac3f1db88519843c85c2

SHA256
e3940372b04a4cb2177ae409c195debccfe004600d73a39d429a577d248d4cb2

SHA512
ff70dd3103128cd36bd1da3a734e635ec76d53a5629fc1f05941d6cadb9e82310da0ea298dcf449ef17c42a70ea7d787a75585ffa37a74f9007ca91a4481ecc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D490.exe

Filesize
4.2MB

MD5
c2efabcb8fabd290bae13315728851e4

SHA1
471913006bcb0c59dc561c7aeb2565bd906ad017

SHA256
b0932ba052d99da7a4e0a689024f85515a9731af93467366d6a76b48314f493e

SHA512
2bdd1ac5c9943c9f98a89eb1234cf5369fdd3a4c20e408f35437475168dbdaff839da061d6fcaa9d734935e1bf58cc4fc9f1f23799a49214dec3a7b2aadd017c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9770.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\D490.exe

Filesize
5.7MB

MD5
0f345194e7435e2d74ef14bf03155a72

SHA1
271e5bd6740e749ee92eeb3aeb8e656b5161370b

SHA256
f7a39dcf76db881d0a3c232b1049933ad7071996ee1a34f42c807daf92929ef4

SHA512
3f78c80a300ea79ebc7986e514ee156e38416243ba2f2af242c60136eb2e4f7affa58d108661df5901bf2f9afe9e0f781129215d6d235fda03794f9121a6b293

Download Submit
\Users\Admin\AppData\Local\df8a3037-f4eb-4f2f-a858-f3a9f82e3e21\build2.exe

Filesize
255KB

MD5
c57c76d6dc6ed6b6e534d8180294fc2d

SHA1
6c164812674571f84eeba36d07e47241ca22c40e

SHA256
4e8d80a17217b51fde5079a5c195b4dc24890797cf6346c366a59c9c35847a2b

SHA512
6f92fe7f51aeecc12c216b4b801cc6320e70f89ac1bf5f9905df6bf2f753b7045da78d238cceddb0d93bac0feabaf8f4ffbb65acded8ba679515444f166a56a3

Download Submit
\Users\Admin\AppData\Local\df8a3037-f4eb-4f2f-a858-f3a9f82e3e21\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/1208-129-0x0000000000635000-0x0000000000650000-memory.dmp

Filesize
108KB

Download
memory/1208-131-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/1224-156-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1224-149-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1224-151-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1224-158-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1392-4-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1660-155-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1660-153-0x00000000009B2000-0x00000000009C3000-memory.dmp

Filesize
68KB

Download
memory/1780-304-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1780-301-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1780-424-0x0000000000E70000-0x0000000001C9B000-memory.dmp

Filesize
14.2MB

Download
memory/1780-293-0x0000000000E70000-0x0000000001C9B000-memory.dmp

Filesize
14.2MB

Download
memory/1780-295-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1780-341-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1780-317-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1780-314-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1780-297-0x0000000077B60000-0x0000000077B61000-memory.dmp

Filesize
4KB

Download
memory/1780-311-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1780-309-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1780-296-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1780-306-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1780-288-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1780-290-0x0000000000E70000-0x0000000001C9B000-memory.dmp

Filesize
14.2MB

Download
memory/1780-302-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1780-291-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1780-299-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2072-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2072-5-0x0000000000400000-0x0000000002BE4000-memory.dmp

Filesize
39.9MB

Download
memory/2072-3-0x0000000000400000-0x0000000002BE4000-memory.dmp

Filesize
39.9MB

Download
memory/2072-1-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

Filesize
1024KB

Download
memory/2508-26-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2508-28-0x00000000045E0000-0x00000000046FB000-memory.dmp

Filesize
1.1MB

Download
memory/2508-27-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2556-497-0x00000000008A0000-0x00000000009A0000-memory.dmp

Filesize
1024KB

Download
memory/2580-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2580-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2580-76-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2580-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2732-445-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/2732-444-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2732-431-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2732-427-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2732-426-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2732-438-0x0000000000F70000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/2732-429-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2732-452-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2732-435-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2732-437-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2732-453-0x0000000000F70000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/2732-436-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2732-428-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2732-430-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2732-423-0x0000000000F70000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/2732-446-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2732-425-0x0000000077B50000-0x0000000077B52000-memory.dmp

Filesize
8KB

Download
memory/2732-432-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2732-434-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2732-433-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/2792-85-0x0000000000310000-0x00000000003A1000-memory.dmp

Filesize
580KB

Download
memory/2792-78-0x0000000000310000-0x00000000003A1000-memory.dmp

Filesize
580KB

Download
memory/2800-319-0x0000000000C30000-0x0000000000D30000-memory.dmp

Filesize
1024KB

Download
memory/2844-108-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-111-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-110-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-86-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-145-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-134-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-104-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-103-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-87-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2876-127-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2876-132-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2876-125-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2876-133-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2876-280-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download