amadey | cd71a30b132d259c3897970a820488f2595f0efb71e3469da29ab0f1dbf11ad0

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59.exe
Size

1.5MB
MD5

f536f5df19df0a0530af2b54bf26a147
SHA1

a25e39e1f67cc7a78c201182af75e04038e25240
SHA256

126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59
SHA512

e328d25a7480353a09a6ad06b6c05725f52f9f45a9b14b8b3b221f17cc72ddcf0baa29731698376a8f9c0710246c21f6cccc5f58e3adda87c73f702c78fa271e
SSDEEP

24576:zyZiQsZhOKz9F5E4HyyRyDDGk05C8XRVrT6JLUq54o0b4+U2TjfbbrSKC3:GIJcaF5hHy8y30BhT6uS4o0b1jzbuK

Score

10^/10

amadey mystic redline smokeloader homed backdoor evasion infostealer persistence stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

homed

109.107.182.133:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kR0881.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3512-51-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explothe.exe6ce5yB7.exe5rN5VI7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	6ce5yB7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	5rN5VI7.exe

Executes dropped EXE 14 IoCs

Processes:

Tp3hv20.exejX0tp17.exeTK4EQ53.exebW9hd36.exe1dT17EK1.exe2kR0881.exe3LB97iV.exe4hW731MW.exe5rN5VI7.exeexplothe.exe6ce5yB7.exeexplothe.exeexplothe.exeexplothe.exe

pid	process
4388	Tp3hv20.exe
1476	jX0tp17.exe
4128	TK4EQ53.exe
4996	bW9hd36.exe
3188	1dT17EK1.exe
1180	2kR0881.exe
3424	3LB97iV.exe
1684	4hW731MW.exe
2404	5rN5VI7.exe
5024	explothe.exe
3240	6ce5yB7.exe
1544	explothe.exe
1744	explothe.exe
2140	explothe.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3240-70-0x0000000000400000-0x000000000041E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ce5yB7.exe	upx
behavioral1/memory/3240-83-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jX0tp17.exeTK4EQ53.exebW9hd36.exe126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59.exeTp3hv20.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	jX0tp17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	TK4EQ53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	bW9hd36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Tp3hv20.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1dT17EK1.exe4hW731MW.exe

description	pid	process	target process
PID 3188 set thread context of 5040	3188	1dT17EK1.exe	AppLaunch.exe
PID 1684 set thread context of 3512	1684	4hW731MW.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3LB97iV.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3LB97iV.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3LB97iV.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3LB97iV.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4516 schtasks.exe

pid	process
4516	schtasks.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{1E784ABE-789B-4213-A1D6-14A8902C81F4}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3LB97iV.exeAppLaunch.exe

pid	process
3424	3LB97iV.exe
3424	3LB97iV.exe
5040	AppLaunch.exe
5040	AppLaunch.exe
5040	AppLaunch.exe
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3LB97iV.exe

pid process

3424 3LB97iV.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	5040	AppLaunch.exe
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3412

pid	process
3412

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59.exeTp3hv20.exejX0tp17.exeTK4EQ53.exebW9hd36.exe1dT17EK1.exe4hW731MW.exe5rN5VI7.exeexplothe.exe6ce5yB7.execmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 4388	2044	126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59.exe	Tp3hv20.exe
PID 2044 wrote to memory of 4388	2044	126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59.exe	Tp3hv20.exe
PID 2044 wrote to memory of 4388	2044	126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59.exe	Tp3hv20.exe
PID 4388 wrote to memory of 1476	4388	Tp3hv20.exe	jX0tp17.exe
PID 4388 wrote to memory of 1476	4388	Tp3hv20.exe	jX0tp17.exe
PID 4388 wrote to memory of 1476	4388	Tp3hv20.exe	jX0tp17.exe
PID 1476 wrote to memory of 4128	1476	jX0tp17.exe	TK4EQ53.exe
PID 1476 wrote to memory of 4128	1476	jX0tp17.exe	TK4EQ53.exe
PID 1476 wrote to memory of 4128	1476	jX0tp17.exe	TK4EQ53.exe
PID 4128 wrote to memory of 4996	4128	TK4EQ53.exe	bW9hd36.exe
PID 4128 wrote to memory of 4996	4128	TK4EQ53.exe	bW9hd36.exe
PID 4128 wrote to memory of 4996	4128	TK4EQ53.exe	bW9hd36.exe
PID 4996 wrote to memory of 3188	4996	bW9hd36.exe	1dT17EK1.exe
PID 4996 wrote to memory of 3188	4996	bW9hd36.exe	1dT17EK1.exe
PID 4996 wrote to memory of 3188	4996	bW9hd36.exe	1dT17EK1.exe
PID 3188 wrote to memory of 5040	3188	1dT17EK1.exe	AppLaunch.exe
PID 3188 wrote to memory of 5040	3188	1dT17EK1.exe	AppLaunch.exe
PID 3188 wrote to memory of 5040	3188	1dT17EK1.exe	AppLaunch.exe
PID 3188 wrote to memory of 5040	3188	1dT17EK1.exe	AppLaunch.exe
PID 3188 wrote to memory of 5040	3188	1dT17EK1.exe	AppLaunch.exe
PID 3188 wrote to memory of 5040	3188	1dT17EK1.exe	AppLaunch.exe
PID 3188 wrote to memory of 5040	3188	1dT17EK1.exe	AppLaunch.exe
PID 3188 wrote to memory of 5040	3188	1dT17EK1.exe	AppLaunch.exe
PID 4996 wrote to memory of 1180	4996	bW9hd36.exe	2kR0881.exe
PID 4996 wrote to memory of 1180	4996	bW9hd36.exe	2kR0881.exe
PID 4996 wrote to memory of 1180	4996	bW9hd36.exe	2kR0881.exe
PID 4128 wrote to memory of 3424	4128	TK4EQ53.exe	3LB97iV.exe
PID 4128 wrote to memory of 3424	4128	TK4EQ53.exe	3LB97iV.exe
PID 4128 wrote to memory of 3424	4128	TK4EQ53.exe	3LB97iV.exe
PID 1476 wrote to memory of 1684	1476	jX0tp17.exe	4hW731MW.exe
PID 1476 wrote to memory of 1684	1476	jX0tp17.exe	4hW731MW.exe
PID 1476 wrote to memory of 1684	1476	jX0tp17.exe	4hW731MW.exe
PID 1684 wrote to memory of 3512	1684	4hW731MW.exe	AppLaunch.exe
PID 1684 wrote to memory of 3512	1684	4hW731MW.exe	AppLaunch.exe
PID 1684 wrote to memory of 3512	1684	4hW731MW.exe	AppLaunch.exe
PID 1684 wrote to memory of 3512	1684	4hW731MW.exe	AppLaunch.exe
PID 1684 wrote to memory of 3512	1684	4hW731MW.exe	AppLaunch.exe
PID 1684 wrote to memory of 3512	1684	4hW731MW.exe	AppLaunch.exe
PID 1684 wrote to memory of 3512	1684	4hW731MW.exe	AppLaunch.exe
PID 1684 wrote to memory of 3512	1684	4hW731MW.exe	AppLaunch.exe
PID 4388 wrote to memory of 2404	4388	Tp3hv20.exe	5rN5VI7.exe
PID 4388 wrote to memory of 2404	4388	Tp3hv20.exe	5rN5VI7.exe
PID 4388 wrote to memory of 2404	4388	Tp3hv20.exe	5rN5VI7.exe
PID 2404 wrote to memory of 5024	2404	5rN5VI7.exe	explothe.exe
PID 2404 wrote to memory of 5024	2404	5rN5VI7.exe	explothe.exe
PID 2404 wrote to memory of 5024	2404	5rN5VI7.exe	explothe.exe
PID 2044 wrote to memory of 3240	2044	126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59.exe	6ce5yB7.exe
PID 2044 wrote to memory of 3240	2044	126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59.exe	6ce5yB7.exe
PID 2044 wrote to memory of 3240	2044	126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59.exe	6ce5yB7.exe
PID 5024 wrote to memory of 4516	5024	explothe.exe	schtasks.exe
PID 5024 wrote to memory of 4516	5024	explothe.exe	schtasks.exe
PID 5024 wrote to memory of 4516	5024	explothe.exe	schtasks.exe
PID 5024 wrote to memory of 972	5024	explothe.exe	cmd.exe
PID 5024 wrote to memory of 972	5024	explothe.exe	cmd.exe
PID 5024 wrote to memory of 972	5024	explothe.exe	cmd.exe
PID 3240 wrote to memory of 4664	3240	6ce5yB7.exe	cmd.exe
PID 3240 wrote to memory of 4664	3240	6ce5yB7.exe	cmd.exe
PID 972 wrote to memory of 2668	972	cmd.exe	cmd.exe
PID 972 wrote to memory of 2668	972	cmd.exe	cmd.exe
PID 972 wrote to memory of 2668	972	cmd.exe	cmd.exe
PID 972 wrote to memory of 1500	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 1500	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 1500	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 1068	972	cmd.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59.exe
"C:\Users\Admin\AppData\Local\Temp\126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tp3hv20.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tp3hv20.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jX0tp17.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jX0tp17.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TK4EQ53.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TK4EQ53.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bW9hd36.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bW9hd36.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dT17EK1.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dT17EK1.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kR0881.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kR0881.exe
6⤵
- Executes dropped EXE
PID:1180

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3LB97iV.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3LB97iV.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3424

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4hW731MW.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4hW731MW.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5rN5VI7.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5rN5VI7.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
5⤵
- Creates scheduled task(s)
PID:4516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2668

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
6⤵
PID:1500

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
6⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1252

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
6⤵
PID:3644

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
6⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ce5yB7.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ce5yB7.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A6B0.tmp\A6B1.tmp\A6B2.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ce5yB7.exe"
3⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5064 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:1
1⤵
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3764 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:1
1⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4400 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:8
1⤵
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5228 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:1
1⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5788 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:1
1⤵
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5968 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:1
1⤵
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6244 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:8
1⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6400 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6468 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:8
1⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6664 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:8
1⤵
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5472 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:8
1⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A6B0.tmp\A6B1.tmp\A6B2.bat

Filesize
124B

MD5
dec89e5682445d71376896eac0d62d8b

SHA1
c5ae3197d3c2faf3dea137719c804ab215022ea6

SHA256
c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668

SHA512
b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ce5yB7.exe

Filesize
45KB

MD5
3e38f91c02bd4a5f98bbe6efc3ef35f8

SHA1
679a1bb487124ac3dc28225cf01ef610e3ddacfa

SHA256
e77b730653b15e8ea4b80cc9e6de57dc439ef24339b609d8a53a2250261316ea

SHA512
7465795df7cee7e1b25b86554828e242aa37b8a701023100ca3f816d03681efac5c822337a8a806870e5792bdd0cbd963773f100b26c487a2222bf5f6e0dfd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tp3hv20.exe

Filesize
1.4MB

MD5
51893aae83e7b449a777588d4e0b49a8

SHA1
ae8ab728530d441b88c51615ad6d05800e95d0c7

SHA256
f4e017e921bb578e91564690f944a16cb14fc9d072569d3cb2db620c9cdb7fa5

SHA512
7220b1cc4e9d0f4b5a5771b37ade8a12d1f72e4ab1598822a7ce84ad4f22298280929531919d2d199624980db586e1f2f301f76d9b59188f94ce49ae21f950ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5rN5VI7.exe

Filesize
219KB

MD5
fb6fee852f05047499d44ecca38f7da3

SHA1
7a29f77681f20503edf257162b17811f2f284eb9

SHA256
0143e6e36b46db40021876954cbc437032b1d8ec65165d7192ffc61c1b179aa3

SHA512
e202a50950318e024aabffe75e23e17910bbbb1d2a6f0c1f24a0cc47f429c964ebee27b04b593a4e7a9757c9243707f89c0bbd410169a0ec94ab644fe34c9dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jX0tp17.exe

Filesize
1.2MB

MD5
04df542f740e88a0b033635861ee052e

SHA1
bb3d2ac0c471ce7cce69c5f4733ef273763d8c8f

SHA256
bcc35602c33611a0d1612c67aa7dd9f6b3c9548227339de9280b64f7f3e4c125

SHA512
586a6d881f0ae59151c0666e3097a89823d9a6be4372846a16a03f4b18dfd95a45bd3201bb7ddc929b9a70b13b7f08fb51cf3e01188b11192453c011bcac6dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4hW731MW.exe

Filesize
1.9MB

MD5
c6da3e5993eb748c7de3dbb0b225b8ce

SHA1
91d628037f19c18f4cd41b29ac9528f1bdaae0a6

SHA256
b8267f87cfcfa0d771062ae010c6e95ae9e80ae5a30b2c7c44207dad23a7f97c

SHA512
6dd67d929fb9c7f04f62f1fb135c787e349350dbd37eff7dd5eeaeb57fe08801b477fdb05cf407f34e8495603f4c0b238ed10e3db178849f42501db2b0b6552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TK4EQ53.exe

Filesize
697KB

MD5
b7009df36ca1d3847a9f763acf150207

SHA1
7abb49f055d9b6e7e5825ab1f8b741a2fb6abd3d

SHA256
0363fee1ea81bba95e30bfc22201e4eb83b9020c93d42c5615b168fc730bd11a

SHA512
c2cd65e2ac2a8064aea6198260724aa86c54f48e2c81f316b24ac0795f2c652a05caef1bee28b5f173d0503a15ef54d397e16428a22f1a61987e29cad60b2bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3LB97iV.exe

Filesize
30KB

MD5
d660f75ea496e6eeb62be6cd9b9513dd

SHA1
ca4a509446539cb5b8568c89234259d26ee0728e

SHA256
b4fd13320de3942eb9af0414fde360b9debd49152620d114f8007f1564e8953f

SHA512
fda8b07bcec1f6669c3fbb02f7e767825ab6b7214c485ac817497a4b8cd16baa60c11692f3a239887c9d83ec4207a2b0f2a45b2c20c868372c1bfbb4ed6330aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bW9hd36.exe

Filesize
572KB

MD5
2fdc25a33f8abb0e2e7da98826e6c65c

SHA1
5a005d51033f772125b9f80a0a0c3954590fc68c

SHA256
698c2b4af9268c74c1a35a1017c4866ae3ad9ee5497dd3780101aec8696787c9

SHA512
20eceeb1e2643441a3f7f4737bb76aba7e9acf5ebb710f4f75a8863dc1b4e6e947769716586a8292f0496a0d8fcff89853490514fe539bc6e35f27cb8ee91c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dT17EK1.exe

Filesize
1.6MB

MD5
1a426cb8f9ac97c1bea72cab4f1c2546

SHA1
32e7fa3372dc121c27e1f66c3ef1122af1ceb3d6

SHA256
2852e1a8a77e92bf2f3f79c01f4b61c75e5b62f9d9a2da9d76011b9727092b6d

SHA512
059cf67e3e5f2dd1fcd0b6c9b0cb36421febc8364c107ae2bbbb0d3539ebb0ab042a2ba8f206aeede561c1eab387ae467a49dfeb2ce22854e38a090b9df7bf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kR0881.exe

Filesize
180KB

MD5
29a80914bcaa0ed3b0ecfdab05c3d142

SHA1
ca2c5f72d2f854c97260780bf55322b418d30fd3

SHA256
98ab57ac192335e03016f40e6d1fd05f267fec8c15840ae64ca0ebee2bd10807

SHA512
3a2b42e469f6dddb2bc88cc7d370d0a1192a64deadd340505868cb8d5db6ccfd7d5df40b2640f6bbe417ef42ab490070372e3195e6e1b62d94ae8f2458afb895

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/3240-83-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3240-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3412-44-0x0000000002600000-0x0000000002616000-memory.dmp

Filesize
88KB

Download
memory/3424-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3424-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3512-76-0x0000000008100000-0x000000000820A000-memory.dmp

Filesize
1.0MB

Download
memory/3512-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3512-59-0x0000000007D60000-0x0000000007DF2000-memory.dmp

Filesize
584KB

Download
memory/3512-58-0x0000000008270000-0x0000000008814000-memory.dmp

Filesize
5.6MB

Download
memory/3512-72-0x0000000007E30000-0x0000000007E3A000-memory.dmp

Filesize
40KB

Download
memory/3512-55-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3512-75-0x0000000008E40000-0x0000000009458000-memory.dmp

Filesize
6.1MB

Download
memory/3512-64-0x0000000007FE0000-0x0000000007FF0000-memory.dmp

Filesize
64KB

Download
memory/3512-77-0x0000000008010000-0x0000000008022000-memory.dmp

Filesize
72KB

Download
memory/3512-78-0x0000000008070000-0x00000000080AC000-memory.dmp

Filesize
240KB

Download
memory/3512-79-0x00000000080B0000-0x00000000080FC000-memory.dmp

Filesize
304KB

Download
memory/3512-86-0x0000000007FE0000-0x0000000007FF0000-memory.dmp

Filesize
64KB

Download
memory/3512-85-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/5040-42-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/5040-81-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/5040-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download