amadey | 4932904a4d01b689bc14f1e527652fbfd4d399540339e94bd521ea94f7beff49

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f.exe
Size

1.7MB
MD5

9d179e0faf2f9debfd1a78b6df5e7589
SHA1

5602bf575f6d3131906fdab1809a9924ffb3ac3e
SHA256

71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f
SHA512

1197badb88843b95ec88c39b63857751ecb541eaf94e940c23db4c37b8d0d5c75735fa646ae4db1b71c1a8ec27a882fa63b9a4b6f7fefbccb4c32038959fe792
SSDEEP

24576:cylBkN879xpBf/iqVSjM0NErHH+Obnz7qytAjxkZ84DhwQqvBcP+V25y8wU4w5Ml:LAyyoBre8Kne84DhMB0j5y8jFKx17

Score

10^/10

amadey mystic redline smokeloader homed backdoor evasion infostealer persistence stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

homed

109.107.182.133:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023347-50.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2zY1812.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2zY1812.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	2zY1812.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2zY1812.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	2zY1812.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2zY1812.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1444-64-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	6ew0Nz5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	7Lk8gb88.exe

Executes dropped EXE 15 IoCs

pid	Process
672	jn9ss44.exe
2868	RY9hP13.exe
1480	hH7ql04.exe
3924	DD6ZM39.exe
1168	ZP5Ve36.exe
4264	1ES12br6.exe
4932	2zY1812.exe
2332	3lB03IU.exe
2940	4jN213WZ.exe
4356	5np8iK7.exe
5028	6ew0Nz5.exe
2468	explothe.exe
1296	7Lk8gb88.exe
1580	explothe.exe
2732	explothe.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002333b-85.dat	upx
behavioral1/memory/1296-87-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/1296-96-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	2zY1812.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	2zY1812.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jn9ss44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	RY9hP13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hH7ql04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	DD6ZM39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	ZP5Ve36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4264 set thread context of 1536	4264	1ES12br6.exe	100
PID 2940 set thread context of 4604	2940	4jN213WZ.exe	109
PID 4356 set thread context of 1444	4356	5np8iK7.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1876	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{F160C0ED-D85D-44B9-BE9B-1FBF1B9F84CC}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1536	AppLaunch.exe
1536	AppLaunch.exe
1536	AppLaunch.exe
4932	2zY1812.exe
4932	2zY1812.exe
4932	2zY1812.exe
4932	2zY1812.exe
4604	AppLaunch.exe
4604	AppLaunch.exe
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4604	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	AppLaunch.exe
Token: SeShutdownPrivilege	3596	Process not Found
Token: SeCreatePagefilePrivilege	3596	Process not Found
Token: SeShutdownPrivilege	3596	Process not Found
Token: SeCreatePagefilePrivilege	3596	Process not Found
Token: SeShutdownPrivilege	3596	Process not Found
Token: SeCreatePagefilePrivilege	3596	Process not Found
Token: SeShutdownPrivilege	3596	Process not Found
Token: SeCreatePagefilePrivilege	3596	Process not Found
Token: SeShutdownPrivilege	3596	Process not Found
Token: SeCreatePagefilePrivilege	3596	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3596	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 672	2476	71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f.exe	93
PID 2476 wrote to memory of 672	2476	71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f.exe	93
PID 2476 wrote to memory of 672	2476	71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f.exe	93
PID 672 wrote to memory of 2868	672	jn9ss44.exe	95
PID 672 wrote to memory of 2868	672	jn9ss44.exe	95
PID 672 wrote to memory of 2868	672	jn9ss44.exe	95
PID 2868 wrote to memory of 1480	2868	RY9hP13.exe	96
PID 2868 wrote to memory of 1480	2868	RY9hP13.exe	96
PID 2868 wrote to memory of 1480	2868	RY9hP13.exe	96
PID 1480 wrote to memory of 3924	1480	hH7ql04.exe	97
PID 1480 wrote to memory of 3924	1480	hH7ql04.exe	97
PID 1480 wrote to memory of 3924	1480	hH7ql04.exe	97
PID 3924 wrote to memory of 1168	3924	DD6ZM39.exe	98
PID 3924 wrote to memory of 1168	3924	DD6ZM39.exe	98
PID 3924 wrote to memory of 1168	3924	DD6ZM39.exe	98
PID 1168 wrote to memory of 4264	1168	ZP5Ve36.exe	99
PID 1168 wrote to memory of 4264	1168	ZP5Ve36.exe	99
PID 1168 wrote to memory of 4264	1168	ZP5Ve36.exe	99
PID 4264 wrote to memory of 1536	4264	1ES12br6.exe	100
PID 4264 wrote to memory of 1536	4264	1ES12br6.exe	100
PID 4264 wrote to memory of 1536	4264	1ES12br6.exe	100
PID 4264 wrote to memory of 1536	4264	1ES12br6.exe	100
PID 4264 wrote to memory of 1536	4264	1ES12br6.exe	100
PID 4264 wrote to memory of 1536	4264	1ES12br6.exe	100
PID 4264 wrote to memory of 1536	4264	1ES12br6.exe	100
PID 4264 wrote to memory of 1536	4264	1ES12br6.exe	100
PID 1168 wrote to memory of 4932	1168	ZP5Ve36.exe	101
PID 1168 wrote to memory of 4932	1168	ZP5Ve36.exe	101
PID 2232 wrote to memory of 2944	2232	cmd.exe	106
PID 2232 wrote to memory of 2944	2232	cmd.exe	106
PID 3924 wrote to memory of 2332	3924	DD6ZM39.exe	107
PID 3924 wrote to memory of 2332	3924	DD6ZM39.exe	107
PID 3924 wrote to memory of 2332	3924	DD6ZM39.exe	107
PID 1480 wrote to memory of 2940	1480	hH7ql04.exe	108
PID 1480 wrote to memory of 2940	1480	hH7ql04.exe	108
PID 1480 wrote to memory of 2940	1480	hH7ql04.exe	108
PID 2940 wrote to memory of 4604	2940	4jN213WZ.exe	109
PID 2940 wrote to memory of 4604	2940	4jN213WZ.exe	109
PID 2940 wrote to memory of 4604	2940	4jN213WZ.exe	109
PID 2940 wrote to memory of 4604	2940	4jN213WZ.exe	109
PID 2940 wrote to memory of 4604	2940	4jN213WZ.exe	109
PID 2940 wrote to memory of 4604	2940	4jN213WZ.exe	109
PID 2868 wrote to memory of 4356	2868	RY9hP13.exe	110
PID 2868 wrote to memory of 4356	2868	RY9hP13.exe	110
PID 2868 wrote to memory of 4356	2868	RY9hP13.exe	110
PID 4356 wrote to memory of 1444	4356	5np8iK7.exe	111
PID 4356 wrote to memory of 1444	4356	5np8iK7.exe	111
PID 4356 wrote to memory of 1444	4356	5np8iK7.exe	111
PID 4356 wrote to memory of 1444	4356	5np8iK7.exe	111
PID 4356 wrote to memory of 1444	4356	5np8iK7.exe	111
PID 4356 wrote to memory of 1444	4356	5np8iK7.exe	111
PID 4356 wrote to memory of 1444	4356	5np8iK7.exe	111
PID 4356 wrote to memory of 1444	4356	5np8iK7.exe	111
PID 672 wrote to memory of 5028	672	jn9ss44.exe	112
PID 672 wrote to memory of 5028	672	jn9ss44.exe	112
PID 672 wrote to memory of 5028	672	jn9ss44.exe	112
PID 5028 wrote to memory of 2468	5028	6ew0Nz5.exe	113
PID 5028 wrote to memory of 2468	5028	6ew0Nz5.exe	113
PID 5028 wrote to memory of 2468	5028	6ew0Nz5.exe	113
PID 2476 wrote to memory of 1296	2476	71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f.exe	114
PID 2476 wrote to memory of 1296	2476	71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f.exe	114
PID 2476 wrote to memory of 1296	2476	71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f.exe	114
PID 2468 wrote to memory of 1876	2468	explothe.exe	115
PID 2468 wrote to memory of 1876	2468	explothe.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f.exe
"C:\Users\Admin\AppData\Local\Temp\71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jn9ss44.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jn9ss44.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RY9hP13.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RY9hP13.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hH7ql04.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hH7ql04.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DD6ZM39.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DD6ZM39.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3924
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ZP5Ve36.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ZP5Ve36.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ES12br6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ES12br6.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zY1812.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zY1812.exe
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        
        PID:4932
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3lB03IU.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3lB03IU.exe
        6⤵
        Executes dropped EXE
        
        PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4jN213WZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4jN213WZ.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5np8iK7.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5np8iK7.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ew0Nz5.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ew0Nz5.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1876
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:4712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3840
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        6⤵
        
        PID:4308
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        6⤵
        
        PID:3792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2364
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        6⤵
        
        PID:4828
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        6⤵
        
        PID:1372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Lk8gb88.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Lk8gb88.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1296
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A018.tmp\A019.tmp\A02A.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Lk8gb88.exe"
    3⤵
    PID:4912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:2676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:1480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regini "C:\Users\Admin\AppData\Roaming\random_1712052773.txt"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\regini.exe
  regini "C:\Users\Admin\AppData\Roaming\random_1712052773.txt"
  2⤵
  PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4464 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4972 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4992 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5680 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5812 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5972 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6332 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6484 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6620 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5516 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6012 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A018.tmp\A019.tmp\A02A.bat

Filesize
124B

MD5
dec89e5682445d71376896eac0d62d8b

SHA1
c5ae3197d3c2faf3dea137719c804ab215022ea6

SHA256
c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668

SHA512
b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Lk8gb88.exe

Filesize
45KB

MD5
530d913d65c33b6737fa7952c80cf3e2

SHA1
7dcfd4ebb215aeed8e47d0a944bbf2b5731e327e

SHA256
f107aee34689ec92477e80fefa7a66aaf201fd17799cf350eac03d23bbd31ed8

SHA512
312f7c4b69b48344c8331e0f6633d8bf90493db8c8a348a1f548e32bb95a987ef373ff3fd9798f73fd24120ee0473f852157ca8c6cd1a4a14e650b9baf0e6073

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jn9ss44.exe

Filesize
1.6MB

MD5
186e48c3a9ae1c8217b9df5234827083

SHA1
6e2f000a8f6f162e0cd80e6e73551f70d43a6f59

SHA256
db4f5cc84acb152b891e872e24d3e53af5a905de22b3910753d5430f1e93eda0

SHA512
1a2261ad808a9a63b108b035786005ae153f607963097b9e3a572e8f029293ae89800664a6ff6b7984dc787ddd36f336f4ea119ab4739a72d598a771233adde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ew0Nz5.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RY9hP13.exe

Filesize
1.4MB

MD5
9e7ee1168c6ea1761fd63be668d96fd4

SHA1
d21f55bdc043a150de48660b73dab670187af8ba

SHA256
3b8bd92dedd160545f3449d5c8e5e198a52473e3dd27fb6b962f6a16c89ba224

SHA512
670b07a815a0812f1cfd1a6c7158a629598fd208164cb45d19ac47fe32d7d30bb26d5cfcb7c51f0a56608edca81f3ba6a56056f5845b96fe177b38766522845c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5np8iK7.exe

Filesize
1.1MB

MD5
238eb2e85bdfbd69b2a066c18272572c

SHA1
a0f625deb1f0ae8df75ee711e7c85374a92dfa49

SHA256
8832a3b16f1607a9d90f2f48ee0fb3120591ded5062845bd90c39df045d79e3d

SHA512
83885ffb546e4c468c146910d40279d15a5a72e76e43c48c498e56788b2c97b623e3c09ec31ee18d0e77414f3691e5503632700b3a569ca2d4ba8347fc517823

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hH7ql04.exe

Filesize
1.0MB

MD5
45747a8e5baba444918444f5ddaaaabd

SHA1
7004307239830d93718ec3ce23ea417490e549bf

SHA256
28ca55cbf1acb5deccdbeb11052380ac868c639c8ba9d0452de477ee2def3bb0

SHA512
0bce8b7c14a6fe37b6e778852dbcb524a69355ad5512476cf5c1069d65703ab8acc1cd8f926088eedc805b93bcf2e49b9fab260a9c9eea42caae0eddc844c3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4jN213WZ.exe

Filesize
897KB

MD5
e06f475db4224d25803183b510797c26

SHA1
10f8eb91d1af7e74ca18049c19cfb412a1411c18

SHA256
5ca1d361f69e07c54f3118d932aa6cd215ee90fe2489d44b7b7dbf6a6d41d716

SHA512
2b08cb61ed346fee1821edec089b21933e6e3bc3901a869e33431b131d849ab78ce25cad162c6fd03319484dc004534ad91db6123d77576fdaaf285af66f44b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DD6ZM39.exe

Filesize
688KB

MD5
0dabb8a76bb0d571c2c21bb692ae2a88

SHA1
f6f6395f9f949160cb817599995bfd74f3fcbb44

SHA256
176ddf25e27b35d451dfbe010e279b33d1baf64f9ecfa92348cfd66188b79c21

SHA512
82300341b0176c6404621cee46388858340b5e4c0c423426a833d115e854a0ff23c41007d17556a5782a4769b129f9e07485cf8ac5c40e7a8fe4e1e394c4686f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3lB03IU.exe

Filesize
180KB

MD5
0635bc911c5748d71a4aed170173481e

SHA1
6d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b

SHA256
a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1

SHA512
50ea5d41497884b8aee43d6d7940186d6095055c4cd301ffa88407caf9935853dcfd852e81ab4671da21505ba284b0bae71a59fa50dd55dfa4c3ea7d0251651a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ZP5Ve36.exe

Filesize
492KB

MD5
4c6cdc43732cf81314d1eade900820d2

SHA1
a6e557bcbd933474d712ac0616b69f82ec8d2da6

SHA256
e23e8c94a70c3e7e80cb2fc8856c7309915db796cf5e48bfdfff7d82973a071d

SHA512
ce7eb7e6350f2046d16cbcb5ce66330f73fecd16f56d3ceb550bd1a60beed973e93a54cd923cc1441661733fcfc773f447094a21ee2277f4a9b533b70dd459a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ES12br6.exe

Filesize
875KB

MD5
73d86751a127f28504b4239773c328be

SHA1
a7b5a37edc0841e9a269b827bb0bf28ae0d8c330

SHA256
e0923f519bbf0f9c43922d26954359eed1c352db6deda6e655f838a44d655030

SHA512
464df937ab7ed3a7af81f18d5238019b4268a78dfd8b9d0df6a459c5fd19dfa480c441ce2f20f8b63dcba806e6fc646beaa6b778b52fedee7077739634bad3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zY1812.exe

Filesize
265KB

MD5
15fe972bcfd9189d826083838645b850

SHA1
d2bf7fee68e358fa71b942b8ae92e483536abf86

SHA256
ec739f26f487bcc65718bb8c28a5e3adf817a18e01952bd888f618a57c1e61d4

SHA512
30f7c8daa78ba9bb32d5dca56440fd9b1d36336f496521920ab41737787c1c8e0bcdd714b72249e0ab52908d7918afcaf9e0b3f5ba2a8a2888e9adb538810cfe

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\random_1712052773.txt

Filesize
78B

MD5
2d245696c73134b0a9a2ac296ea7c170

SHA1
f234419d7a09920a46ad291b98d7dca5a11f0da8

SHA256
ed83e1f6850e48029654e9829cbf6e2cdff82f55f61d1449f822e448f75e8930

SHA512
af0b981ef20aa94aff080fbd2030556fe47c4cc563885b162e604f72bc70c4a0eee4ee57ce4ea8964e6363a32ba34f8bee933db30d3d61392c42299621a4fc79

Download Submit
memory/1296-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1296-96-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1444-92-0x0000000007610000-0x0000000007622000-memory.dmp

Filesize
72KB

Download
memory/1444-93-0x0000000007770000-0x00000000077AC000-memory.dmp

Filesize
240KB

Download
memory/1444-68-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1444-71-0x0000000007980000-0x0000000007F24000-memory.dmp

Filesize
5.6MB

Download
memory/1444-72-0x0000000007470000-0x0000000007502000-memory.dmp

Filesize
584KB

Download
memory/1444-101-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/1444-75-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/1444-80-0x0000000007530000-0x000000000753A000-memory.dmp

Filesize
40KB

Download
memory/1444-100-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1444-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1444-89-0x0000000008550000-0x0000000008B68000-memory.dmp

Filesize
6.1MB

Download
memory/1444-94-0x00000000077B0000-0x00000000077FC000-memory.dmp

Filesize
304KB

Download
memory/1444-91-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/1536-74-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1536-47-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1536-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3596-60-0x00000000028A0000-0x00000000028B6000-memory.dmp

Filesize
88KB

Download
memory/4604-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4604-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4604-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download