Malware Analysis Report

2025-08-05 21:02

Sample ID 240327-ymjaqaaf99
Target 21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3
SHA256 21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3
Tags
amadey evasion trojan risepro persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3

Threat Level: Known bad

The file 21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3 was found to be: Known bad.

Malicious Activity Summary

amadey evasion trojan risepro persistence spyware stealer

Amadey

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Blocklisted process makes network request

Reads local data of messenger clients

Loads dropped DLL

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-27 19:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-27 19:54

Reported

2024-03-27 19:56

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 3356 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 3356 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 4832 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4832 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4832 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4544 wrote to memory of 5088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4544 wrote to memory of 5088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4832 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4832 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4832 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe

"C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 56.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/3356-0-0x0000000000320000-0x00000000007F5000-memory.dmp

memory/3356-1-0x0000000077D64000-0x0000000077D66000-memory.dmp

memory/3356-2-0x0000000000320000-0x00000000007F5000-memory.dmp

memory/3356-3-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/3356-4-0x0000000004A80000-0x0000000004A81000-memory.dmp

memory/3356-5-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/3356-6-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

memory/3356-7-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/3356-8-0x0000000004A50000-0x0000000004A51000-memory.dmp

memory/3356-9-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

memory/3356-10-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/3356-11-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 a3783c56ec85a68ad5ac12797df4eac8
SHA1 8b44c5479c06c0835fd29ce1c5d3638ec67ffe7e
SHA256 21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3
SHA512 89017cc01b725ca4e579043be0d9e79733a6a07e36aabb83e015685335060724e3183e8dfb56325f577d1083e84064124d02f46f2093fbcb9772aef789d1d4c0

memory/4832-23-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/3356-24-0x0000000000320000-0x00000000007F5000-memory.dmp

memory/4832-25-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/4832-27-0x0000000005260000-0x0000000005261000-memory.dmp

memory/4832-28-0x0000000005240000-0x0000000005241000-memory.dmp

memory/4832-26-0x0000000005250000-0x0000000005251000-memory.dmp

memory/4832-29-0x0000000005290000-0x0000000005291000-memory.dmp

memory/4832-30-0x0000000005220000-0x0000000005221000-memory.dmp

memory/4832-31-0x0000000005230000-0x0000000005231000-memory.dmp

memory/4832-32-0x0000000005280000-0x0000000005281000-memory.dmp

memory/4832-33-0x00000000052B0000-0x00000000052B1000-memory.dmp

memory/4832-34-0x00000000052A0000-0x00000000052A1000-memory.dmp

memory/4832-35-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/4832-36-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/4832-37-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/4832-38-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/3120-40-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/3120-47-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/3120-46-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/3120-45-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

memory/3120-44-0x0000000004A80000-0x0000000004A81000-memory.dmp

memory/3120-43-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

memory/3120-42-0x0000000004A90000-0x0000000004A91000-memory.dmp

memory/3120-41-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/3120-48-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/4832-49-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/4832-50-0x00000000003B0000-0x0000000000885000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000022001\b371549de9.exe

MD5 792d9d5fc949a1bbeac96d722e586637
SHA1 45dc8d107c29e7cd9e3bd20b6b74a778b7b2da75
SHA256 bb055fa9dcbe7169427158d4a9d94cdb63da8263627859549ba0948e61421f29
SHA512 a31e49adf6d9f8a5c3977f375e22b94117205a8f00abe92379020a81254393e1c9322ea574696e8fe3e42613f0b3bbf4664b60b91799941b14e8e2fcae09bcd9

memory/4832-65-0x00000000003B0000-0x0000000000885000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 93f22941dfd1f09624d3faf917b3fbbe
SHA1 cf67702839d92930a7c9a83da906ca2914136eba
SHA256 8591cb7aaaf51dd400dc75059883f2bedcf6e2b1207a308c7eac948b1f30717c
SHA512 89156f9213be81e0f4ab03bb94f7e405eb53c14993113740179aa8f00116abad8a6ac9e9b2345ba2258d1adfb0ce715a864f2bbe27cd87e84e66acbb65de0329

memory/4832-75-0x00000000003B0000-0x0000000000885000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

memory/4832-86-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/4832-87-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/3988-89-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/3988-90-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/3988-97-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/3988-96-0x0000000004D40000-0x0000000004D41000-memory.dmp

memory/3988-95-0x0000000004D50000-0x0000000004D51000-memory.dmp

memory/3988-94-0x0000000004D30000-0x0000000004D31000-memory.dmp

memory/3988-93-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

memory/3988-92-0x0000000004D60000-0x0000000004D61000-memory.dmp

memory/3988-91-0x0000000004D70000-0x0000000004D71000-memory.dmp

memory/3988-98-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/4832-99-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/4832-100-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/4832-101-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/4832-102-0x00000000003B0000-0x0000000000885000-memory.dmp

memory/4832-103-0x00000000003B0000-0x0000000000885000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-27 19:54

Reported

2024-03-27 19:56

Platform

win11-20240319-en

Max time kernel

149s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows\CurrentVersion\Run\b3d947c218.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\b3d947c218.exe" C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 1584 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 1584 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 5072 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\b3d947c218.exe
PID 5072 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\b3d947c218.exe
PID 5072 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\b3d947c218.exe
PID 5072 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 5072 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 5072 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 1060 wrote to memory of 752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1060 wrote to memory of 752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 752 wrote to memory of 4564 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 752 wrote to memory of 4564 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 752 wrote to memory of 2496 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 2496 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 5072 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 5072 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe

"C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\1000022001\b3d947c218.exe

"C:\Users\Admin\AppData\Local\Temp\1000022001\b3d947c218.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\233663403127_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 56.132.233.193.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
SE 192.229.221.95:80 tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1584-0-0x00000000002C0000-0x0000000000795000-memory.dmp

memory/1584-1-0x00000000776D6000-0x00000000776D8000-memory.dmp

memory/1584-2-0x00000000002C0000-0x0000000000795000-memory.dmp

memory/1584-3-0x0000000004D70000-0x0000000004D71000-memory.dmp

memory/1584-4-0x0000000004D80000-0x0000000004D81000-memory.dmp

memory/1584-5-0x0000000004D60000-0x0000000004D61000-memory.dmp

memory/1584-6-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

memory/1584-7-0x0000000004D40000-0x0000000004D41000-memory.dmp

memory/1584-8-0x0000000004D50000-0x0000000004D51000-memory.dmp

memory/1584-10-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

memory/1584-9-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 74e5d11d3dcd2dd3fd22153014f8feaf
SHA1 c2977b3ce52c23c82d7ae792db5a0572f3463aa3
SHA256 80892d9e5ac65c8cf4ee54387bc11b811656760891e21f74065cac21d7846b34
SHA512 5a8822470db207ab291947b5a9ffb37be100e89eb44827c21a460b69f3437e39786c43c030cee49d416db84fdc8d86a5444fcf123ba0f301cd31f3432c37f222

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 a3783c56ec85a68ad5ac12797df4eac8
SHA1 8b44c5479c06c0835fd29ce1c5d3638ec67ffe7e
SHA256 21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3
SHA512 89017cc01b725ca4e579043be0d9e79733a6a07e36aabb83e015685335060724e3183e8dfb56325f577d1083e84064124d02f46f2093fbcb9772aef789d1d4c0

memory/1584-22-0x00000000002C0000-0x0000000000795000-memory.dmp

memory/5072-23-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-24-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-26-0x00000000055E0000-0x00000000055E1000-memory.dmp

memory/5072-27-0x00000000055C0000-0x00000000055C1000-memory.dmp

memory/5072-25-0x00000000055D0000-0x00000000055D1000-memory.dmp

memory/5072-28-0x0000000005600000-0x0000000005601000-memory.dmp

memory/5072-29-0x00000000055A0000-0x00000000055A1000-memory.dmp

memory/5072-30-0x00000000055B0000-0x00000000055B1000-memory.dmp

memory/5072-31-0x0000000005630000-0x0000000005631000-memory.dmp

memory/5072-32-0x0000000005620000-0x0000000005621000-memory.dmp

memory/5072-33-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-34-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-35-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5116-37-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5116-44-0x00000000052E0000-0x00000000052E1000-memory.dmp

memory/5116-43-0x00000000052B0000-0x00000000052B1000-memory.dmp

memory/5116-42-0x00000000052A0000-0x00000000052A1000-memory.dmp

memory/5116-41-0x0000000005300000-0x0000000005301000-memory.dmp

memory/5116-40-0x00000000052C0000-0x00000000052C1000-memory.dmp

memory/5116-39-0x00000000052D0000-0x00000000052D1000-memory.dmp

memory/5116-38-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5116-45-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-46-0x0000000000D00000-0x00000000011D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000022001\b3d947c218.exe

MD5 d1c67770f3ff21687709ef0f9ec6c5aa
SHA1 f12c887eb6ccb6955e15d9d22484e1d7db632d87
SHA256 a418e06af747884788a7797b82f523306c450f4082f078ac52dfb245e27dfe74
SHA512 e9a9c350cfc6b30f0606f4c3a85bc599397d9dde58254e690a00484603771ab32821a76157de339c00827fa4fdcec8d4277f7b28e3aa19e85f5ebcf675fe7370

memory/5108-63-0x0000000002310000-0x00000000023BB000-memory.dmp

memory/5108-65-0x0000000000400000-0x00000000005D2000-memory.dmp

memory/5108-64-0x0000000002410000-0x000000000254B000-memory.dmp

memory/5072-66-0x0000000000D00000-0x00000000011D5000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

memory/5108-78-0x0000000000400000-0x00000000005D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uc2ndraz.mfv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2496-87-0x00000124C7C90000-0x00000124C7CB2000-memory.dmp

memory/2496-88-0x00007FFCE4AA0000-0x00007FFCE5562000-memory.dmp

memory/2496-89-0x00000124C7C50000-0x00000124C7C60000-memory.dmp

memory/2496-91-0x00000124C7C50000-0x00000124C7C60000-memory.dmp

memory/2496-90-0x00000124C7C50000-0x00000124C7C60000-memory.dmp

memory/2496-92-0x00000124C7D20000-0x00000124C7D32000-memory.dmp

memory/2496-93-0x00000124C7C80000-0x00000124C7C8A000-memory.dmp

memory/2496-99-0x00007FFCE4AA0000-0x00007FFCE5562000-memory.dmp

memory/5072-100-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5108-101-0x0000000002310000-0x00000000023BB000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

memory/5072-113-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-115-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-117-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/3672-120-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-121-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/3672-129-0x00000000057E0000-0x00000000057E1000-memory.dmp

memory/3672-128-0x0000000005790000-0x0000000005791000-memory.dmp

memory/3672-127-0x0000000005780000-0x0000000005781000-memory.dmp

memory/3672-125-0x00000000057A0000-0x00000000057A1000-memory.dmp

memory/3672-126-0x00000000057F0000-0x00000000057F1000-memory.dmp

memory/3672-124-0x00000000057C0000-0x00000000057C1000-memory.dmp

memory/3672-123-0x00000000057B0000-0x00000000057B1000-memory.dmp

memory/3672-122-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/3672-130-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-132-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-134-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-136-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-138-0x0000000000D00000-0x00000000011D5000-memory.dmp

memory/5072-140-0x0000000000D00000-0x00000000011D5000-memory.dmp