amadey | a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d

Analysis

max time kernel
146s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
26-03-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe
Size

1.8MB
MD5

3ad5498be022c8dc94fe49e5626c56f0
SHA1

d2b33fd32f28eda47453e536a04fb5b5e18c7651
SHA256

a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d
SHA512

9684b871459aae055086a70d344295185c6021e5eb59d0036e7ee302cea07b741fecf67b452146513974195f2e730da31c9d4bc8f7a804d526c978c4e0a2d776
SSDEEP

49152:4OMSfGuQq0UI+4dEhjv5LA6XbJ/RxCJODxFj:Vr9Qq0U4svl/dHv

Score

10^/10

amadey stealc discovery evasion spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exeexplorha.exeexplorha.exea81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

flow pid process

17 1176 rundll32.exe
20 2500 rundll32.exe
21 2464 rundll32.exe
Downloads MZ/PE file

flow	pid	process
17	1176	rundll32.exe
20	2500	rundll32.exe
21	2464	rundll32.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exeexplorha.exeexplorha.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Executes dropped EXE 10 IoCs

Processes:

explorha.exelumma21.exechrosha.exeexplorha.exeNewB.exeISetup8.exeu178.0.exeu178.1.exeNewB.exeexplorha.exe

pid	process
3448	explorha.exe
632	lumma21.exe
3936	chrosha.exe
2976	explorha.exe
4948	NewB.exe
1556	ISetup8.exe
576	u178.0.exe
4720	u178.1.exe
3200	NewB.exe
768	explorha.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exeexplorha.exeexplorha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine	a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe
Key opened	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exeu178.0.exerundll32.exe

pid process

1176 rundll32.exe
3500 rundll32.exe
2500 rundll32.exe
576 u178.0.exe
576 u178.0.exe
2464 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1176	rundll32.exe
3500	rundll32.exe
2500	rundll32.exe
576	u178.0.exe
576	u178.0.exe
2464	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\u178.1.exe	upx
behavioral2/memory/4720-130-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral2/memory/4720-186-0x0000000000400000-0x0000000000930000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exeexplorha.exeexplorha.exeexplorha.exe

pid process

2524 a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe
3448 explorha.exe
2976 explorha.exe
768 explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exelumma21.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe
File created	C:\Windows\Tasks\chrosha.job	lumma21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2112 1556 WerFault.exe ISetup8.exe

pid	pid_target	process	target process
2112	1556	WerFault.exe	ISetup8.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u178.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u178.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u178.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3160 schtasks.exe
3348 schtasks.exe

pid	process
3160	schtasks.exe
3348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exeexplorha.exeexplorha.exeu178.0.exerundll32.exepowershell.exeexplorha.exe

pid	process
2524	a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe
2524	a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe
3448	explorha.exe
3448	explorha.exe
2976	explorha.exe
2976	explorha.exe
576	u178.0.exe
576	u178.0.exe
2500	rundll32.exe
2500	rundll32.exe
2500	rundll32.exe
2500	rundll32.exe
2500	rundll32.exe
2500	rundll32.exe
2500	rundll32.exe
2500	rundll32.exe
2500	rundll32.exe
2500	rundll32.exe
2340	powershell.exe
2340	powershell.exe
768	explorha.exe
768	explorha.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2340 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

u178.1.exe

pid process

4720 u178.1.exe

description	pid	process
Token: SeDebugPrivilege	2340	powershell.exe

pid	process
4720	u178.1.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exeexplorha.exechrosha.exeNewB.exeISetup8.exeu178.1.execmd.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2524 wrote to memory of 3448	2524	a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe	explorha.exe
PID 2524 wrote to memory of 3448	2524	a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe	explorha.exe
PID 2524 wrote to memory of 3448	2524	a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe	explorha.exe
PID 3448 wrote to memory of 632	3448	explorha.exe	lumma21.exe
PID 3448 wrote to memory of 632	3448	explorha.exe	lumma21.exe
PID 3448 wrote to memory of 632	3448	explorha.exe	lumma21.exe
PID 3936 wrote to memory of 4948	3936	chrosha.exe	NewB.exe
PID 3936 wrote to memory of 4948	3936	chrosha.exe	NewB.exe
PID 3936 wrote to memory of 4948	3936	chrosha.exe	NewB.exe
PID 4948 wrote to memory of 3160	4948	NewB.exe	schtasks.exe
PID 4948 wrote to memory of 3160	4948	NewB.exe	schtasks.exe
PID 4948 wrote to memory of 3160	4948	NewB.exe	schtasks.exe
PID 4948 wrote to memory of 1556	4948	NewB.exe	ISetup8.exe
PID 4948 wrote to memory of 1556	4948	NewB.exe	ISetup8.exe
PID 4948 wrote to memory of 1556	4948	NewB.exe	ISetup8.exe
PID 1556 wrote to memory of 576	1556	ISetup8.exe	u178.0.exe
PID 1556 wrote to memory of 576	1556	ISetup8.exe	u178.0.exe
PID 1556 wrote to memory of 576	1556	ISetup8.exe	u178.0.exe
PID 1556 wrote to memory of 4720	1556	ISetup8.exe	u178.1.exe
PID 1556 wrote to memory of 4720	1556	ISetup8.exe	u178.1.exe
PID 1556 wrote to memory of 4720	1556	ISetup8.exe	u178.1.exe
PID 4720 wrote to memory of 3824	4720	u178.1.exe	cmd.exe
PID 4720 wrote to memory of 3824	4720	u178.1.exe	cmd.exe
PID 4720 wrote to memory of 3824	4720	u178.1.exe	cmd.exe
PID 3824 wrote to memory of 4648	3824	cmd.exe	chcp.com
PID 3824 wrote to memory of 4648	3824	cmd.exe	chcp.com
PID 3824 wrote to memory of 4648	3824	cmd.exe	chcp.com
PID 3824 wrote to memory of 3348	3824	cmd.exe	schtasks.exe
PID 3824 wrote to memory of 3348	3824	cmd.exe	schtasks.exe
PID 3824 wrote to memory of 3348	3824	cmd.exe	schtasks.exe
PID 3448 wrote to memory of 2308	3448	explorha.exe	rundll32.exe
PID 3448 wrote to memory of 2308	3448	explorha.exe	rundll32.exe
PID 3448 wrote to memory of 2308	3448	explorha.exe	rundll32.exe
PID 2308 wrote to memory of 4344	2308	rundll32.exe	rundll32.exe
PID 2308 wrote to memory of 4344	2308	rundll32.exe	rundll32.exe
PID 3448 wrote to memory of 1176	3448	explorha.exe	rundll32.exe
PID 3448 wrote to memory of 1176	3448	explorha.exe	rundll32.exe
PID 3448 wrote to memory of 1176	3448	explorha.exe	rundll32.exe
PID 3936 wrote to memory of 3500	3936	chrosha.exe	rundll32.exe
PID 3936 wrote to memory of 3500	3936	chrosha.exe	rundll32.exe
PID 3936 wrote to memory of 3500	3936	chrosha.exe	rundll32.exe
PID 3500 wrote to memory of 2500	3500	rundll32.exe	rundll32.exe
PID 3500 wrote to memory of 2500	3500	rundll32.exe	rundll32.exe
PID 2500 wrote to memory of 5100	2500	rundll32.exe	netsh.exe
PID 2500 wrote to memory of 5100	2500	rundll32.exe	netsh.exe
PID 2500 wrote to memory of 2340	2500	rundll32.exe	powershell.exe
PID 2500 wrote to memory of 2340	2500	rundll32.exe	powershell.exe
PID 3936 wrote to memory of 2464	3936	chrosha.exe	rundll32.exe
PID 3936 wrote to memory of 2464	3936	chrosha.exe	rundll32.exe
PID 3936 wrote to memory of 2464	3936	chrosha.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe
"C:\Users\Admin\AppData\Local\Temp\a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\1000037001\lumma21.exe
    "C:\Users\Admin\AppData\Local\Temp\1000037001\lumma21.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:632
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      PID:4344
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1176

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe
  "C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3160
- - C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\u178.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u178.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:576
  - - C:\Users\Admin\AppData\Local\Temp\u178.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u178.1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:4648
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:3348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1164
      4⤵
      Program crash
      PID:2112
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:5100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\567984660271_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2340
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2464

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1556 -ip 1556
1⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe
1⤵
- Executes dropped EXE
PID:3200

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.3MB

MD5
154fc91fa6315d762fdff3a0c32581c3

SHA1
4f89b6b3c50ac319e6c8ea52e9a14850a528d489

SHA256
c888fa8c2be99b4d8887938058f42b9b8e0a3ea71dd6e684e7ab5c3a08ba2f2a

SHA512
47b494f9a3497c5095d9b00e07c9f642f1c07a3cc36bf75fbe19ee887eef17291d3ce0a22871529725948d31264af018d0a3aaf7471a3bf789af36caf3d3f87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.8MB

MD5
3ad5498be022c8dc94fe49e5626c56f0

SHA1
d2b33fd32f28eda47453e536a04fb5b5e18c7651

SHA256
a81ab53c72e11d971d466d7417b64596c8145f2c550b8c4346856bad2d1ec60d

SHA512
9684b871459aae055086a70d344295185c6021e5eb59d0036e7ee302cea07b741fecf67b452146513974195f2e730da31c9d4bc8f7a804d526c978c4e0a2d776

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000037001\lumma21.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe

Filesize
443KB

MD5
75ac5f3474094dc59225e8143ae86380

SHA1
ce68361865c763aa3a3ac1ca9bb84cb8ac5337bf

SHA256
8fb67b9d253fcb2311101faeca907cdcbb6d24bfd839d15c4c49ac7eff085563

SHA512
72a8c1803cb1854dd7fd72a871554f3c77246548435c958031870169a4cae3774aadc3b395488375945c4f481cf95819dadf0743c41e4bfd5fed3dec9affca0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y4a0hyg4.fud.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\u178.0.exe

Filesize
298KB

MD5
e11a8791cce9faa288fed787167ac2eb

SHA1
31671519d6e6582b1ac38e71b54fafd33dbe8413

SHA256
016cb099437cf254e17ee6014a586801413e6196ad38ef5696ebfff3b87d2921

SHA512
ff656318863c8ed39cecdd2ee15b2e38cc8f85695857fa6ed859071d53b1a2985458754311660cee358641c9aa868cd9d17bdc86094f3a69099660edc27163cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\u178.1.exe

Filesize
1.7MB

MD5
eee5ddcffbed16222cac0a1b4e2e466e

SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
336KB

MD5
c216232e24c40e42b1e11757ff155a1e

SHA1
04826d059792979bcd27042080fd6f29ffbac1ff

SHA256
249f6354a3c2bfde4836f2916e026f0cfa3e120755d5f753dd7f4d0e93962a52

SHA512
94034f3075301b2565f60c543f511e6f37fb1c29deaae1385303b10a8c838a01f24373a7546b1d352729ca35c72559808495e68120bad37ec081948e94afd874

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
memory/576-117-0x0000000000400000-0x0000000000AF5000-memory.dmp

Filesize
7.0MB

Download
memory/576-286-0x0000000000400000-0x0000000000AF5000-memory.dmp

Filesize
7.0MB

Download
memory/576-146-0x0000000000400000-0x0000000000AF5000-memory.dmp

Filesize
7.0MB

Download
memory/576-252-0x0000000000400000-0x0000000000AF5000-memory.dmp

Filesize
7.0MB

Download
memory/576-147-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/576-116-0x0000000000D60000-0x0000000000D87000-memory.dmp

Filesize
156KB

Download
memory/576-211-0x0000000000400000-0x0000000000AF5000-memory.dmp

Filesize
7.0MB

Download
memory/576-199-0x0000000000DE0000-0x0000000000EE0000-memory.dmp

Filesize
1024KB

Download
memory/576-198-0x0000000000400000-0x0000000000AF5000-memory.dmp

Filesize
7.0MB

Download
memory/576-115-0x0000000000DE0000-0x0000000000EE0000-memory.dmp

Filesize
1024KB

Download
memory/576-310-0x0000000000400000-0x0000000000AF5000-memory.dmp

Filesize
7.0MB

Download
memory/768-290-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/768-298-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/768-292-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/768-297-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/768-289-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/768-296-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/768-295-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/768-294-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/768-293-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/768-291-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/1556-132-0x0000000000400000-0x0000000000B19000-memory.dmp

Filesize
7.1MB

Download
memory/1556-104-0x0000000002740000-0x00000000027AE000-memory.dmp

Filesize
440KB

Download
memory/1556-103-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

Filesize
1024KB

Download
memory/1556-105-0x0000000000400000-0x0000000000B19000-memory.dmp

Filesize
7.1MB

Download
memory/2340-238-0x000001D5BB7D0000-0x000001D5BB7E0000-memory.dmp

Filesize
64KB

Download
memory/2340-247-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

Filesize
10.8MB

Download
memory/2340-234-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

Filesize
10.8MB

Download
memory/2340-237-0x000001D5BB7D0000-0x000001D5BB7E0000-memory.dmp

Filesize
64KB

Download
memory/2340-233-0x000001D5BB710000-0x000001D5BB732000-memory.dmp

Filesize
136KB

Download
memory/2340-239-0x000001D5BB7D0000-0x000001D5BB7E0000-memory.dmp

Filesize
64KB

Download
memory/2340-240-0x000001D5BB7E0000-0x000001D5BB7F2000-memory.dmp

Filesize
72KB

Download
memory/2340-241-0x000001D5BB7B0000-0x000001D5BB7BA000-memory.dmp

Filesize
40KB

Download
memory/2524-0-0x0000000000620000-0x0000000000ACE000-memory.dmp

Filesize
4.7MB

Download
memory/2524-1-0x0000000077936000-0x0000000077938000-memory.dmp

Filesize
8KB

Download
memory/2524-2-0x0000000000620000-0x0000000000ACE000-memory.dmp

Filesize
4.7MB

Download
memory/2524-8-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/2524-7-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2524-9-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2524-6-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2524-22-0x0000000000620000-0x0000000000ACE000-memory.dmp

Filesize
4.7MB

Download
memory/2524-5-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/2524-4-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2524-3-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/2524-10-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2976-62-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/2976-69-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/2976-60-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/2976-63-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/2976-68-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/2976-67-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/2976-66-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/2976-65-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/2976-64-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/3448-55-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-23-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-224-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-26-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/3448-25-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/3448-311-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-32-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3448-31-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/3448-251-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-28-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/3448-29-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/3448-30-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3448-24-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-285-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-197-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-27-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/3448-33-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-118-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-53-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-54-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-145-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-56-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-303-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-300-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/3448-61-0x0000000000F20000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/4720-130-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/4720-131-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/4720-186-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/4720-207-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download