amadey | a2a6836458d1fa4c84b346f7d814d9d1846121c10b9280fc1fafd2bf53c07489

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2024, 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307.exe
Size

1.7MB
MD5

54653af9a150e18cbafede01825b269b
SHA1

d923abc1efc2623ffab48aa910101ee21e3cdb22
SHA256

0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307
SHA512

81ae62a4d0d4524f4a7730e3a24864cb9f002ea61e9a384c31bcd41f0515b1ccc2f1e873906bbac96e1a9b98818dac4ad417d96cce21fe470f215ad4ae2fd7f2
SSDEEP

24576:yydIrbu/YHX2v6ptVid2Esc2mWLDdsS7K54la77nCmK0Svr80TN0oiXyMhvjzWh:ZiqY32CptUXZ1YpK54U7zGDYeSBvjz

Score

10^/10

amadey mystic redline smokeloader homed backdoor evasion infostealer persistence stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

homed

109.107.182.133:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023302-50.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2iZ6010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	2iZ6010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2iZ6010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2iZ6010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	2iZ6010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2iZ6010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4488-65-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	6bh6Cw5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	7DW1ip82.exe

Executes dropped EXE 16 IoCs

pid	Process
2452	mG8fT66.exe
2468	ky6pw24.exe
1796	SG2qT01.exe
1464	WD0Ym65.exe
4848	wY5rb46.exe
4276	1nm57LL6.exe
2032	2iZ6010.exe
2460	3Ez67HI.exe
2704	4nw003HR.exe
4080	5IE8Uc1.exe
900	6bh6Cw5.exe
216	explothe.exe
3180	7DW1ip82.exe
2984	explothe.exe
4736	explothe.exe
776	hjujaej

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000232f6-86.dat	upx
behavioral1/memory/3180-88-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3180-97-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	2iZ6010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	2iZ6010.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	WD0Ym65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	wY5rb46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mG8fT66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ky6pw24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	SG2qT01.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4276 set thread context of 2404	4276	1nm57LL6.exe	101
PID 2704 set thread context of 4952	2704	4nw003HR.exe	112
PID 4080 set thread context of 4488	4080	5IE8Uc1.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2584	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{5BBBBB5C-64F0-49A8-92CC-B517090B9BBC}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	AppLaunch.exe
2404	AppLaunch.exe
2404	AppLaunch.exe
2032	2iZ6010.exe
2032	2iZ6010.exe
2032	2iZ6010.exe
2032	2iZ6010.exe
4952	AppLaunch.exe
4952	AppLaunch.exe
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4952	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	AppLaunch.exe
Token: SeShutdownPrivilege	3484	Process not Found
Token: SeCreatePagefilePrivilege	3484	Process not Found
Token: SeShutdownPrivilege	3484	Process not Found
Token: SeCreatePagefilePrivilege	3484	Process not Found
Token: SeShutdownPrivilege	3484	Process not Found
Token: SeCreatePagefilePrivilege	3484	Process not Found
Token: SeShutdownPrivilege	3484	Process not Found
Token: SeCreatePagefilePrivilege	3484	Process not Found
Token: SeShutdownPrivilege	3484	Process not Found
Token: SeCreatePagefilePrivilege	3484	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3484	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2452	1312	0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307.exe	94
PID 1312 wrote to memory of 2452	1312	0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307.exe	94
PID 1312 wrote to memory of 2452	1312	0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307.exe	94
PID 2452 wrote to memory of 2468	2452	mG8fT66.exe	95
PID 2452 wrote to memory of 2468	2452	mG8fT66.exe	95
PID 2452 wrote to memory of 2468	2452	mG8fT66.exe	95
PID 2468 wrote to memory of 1796	2468	ky6pw24.exe	97
PID 2468 wrote to memory of 1796	2468	ky6pw24.exe	97
PID 2468 wrote to memory of 1796	2468	ky6pw24.exe	97
PID 1796 wrote to memory of 1464	1796	SG2qT01.exe	98
PID 1796 wrote to memory of 1464	1796	SG2qT01.exe	98
PID 1796 wrote to memory of 1464	1796	SG2qT01.exe	98
PID 1464 wrote to memory of 4848	1464	WD0Ym65.exe	99
PID 1464 wrote to memory of 4848	1464	WD0Ym65.exe	99
PID 1464 wrote to memory of 4848	1464	WD0Ym65.exe	99
PID 4848 wrote to memory of 4276	4848	wY5rb46.exe	100
PID 4848 wrote to memory of 4276	4848	wY5rb46.exe	100
PID 4848 wrote to memory of 4276	4848	wY5rb46.exe	100
PID 4276 wrote to memory of 2404	4276	1nm57LL6.exe	101
PID 4276 wrote to memory of 2404	4276	1nm57LL6.exe	101
PID 4276 wrote to memory of 2404	4276	1nm57LL6.exe	101
PID 4276 wrote to memory of 2404	4276	1nm57LL6.exe	101
PID 4276 wrote to memory of 2404	4276	1nm57LL6.exe	101
PID 4276 wrote to memory of 2404	4276	1nm57LL6.exe	101
PID 4276 wrote to memory of 2404	4276	1nm57LL6.exe	101
PID 4276 wrote to memory of 2404	4276	1nm57LL6.exe	101
PID 4848 wrote to memory of 2032	4848	wY5rb46.exe	102
PID 4848 wrote to memory of 2032	4848	wY5rb46.exe	102
PID 2112 wrote to memory of 4960	2112	cmd.exe	107
PID 2112 wrote to memory of 4960	2112	cmd.exe	107
PID 1464 wrote to memory of 2460	1464	WD0Ym65.exe	110
PID 1464 wrote to memory of 2460	1464	WD0Ym65.exe	110
PID 1464 wrote to memory of 2460	1464	WD0Ym65.exe	110
PID 1796 wrote to memory of 2704	1796	SG2qT01.exe	111
PID 1796 wrote to memory of 2704	1796	SG2qT01.exe	111
PID 1796 wrote to memory of 2704	1796	SG2qT01.exe	111
PID 2704 wrote to memory of 4952	2704	4nw003HR.exe	112
PID 2704 wrote to memory of 4952	2704	4nw003HR.exe	112
PID 2704 wrote to memory of 4952	2704	4nw003HR.exe	112
PID 2704 wrote to memory of 4952	2704	4nw003HR.exe	112
PID 2704 wrote to memory of 4952	2704	4nw003HR.exe	112
PID 2704 wrote to memory of 4952	2704	4nw003HR.exe	112
PID 2468 wrote to memory of 4080	2468	ky6pw24.exe	113
PID 2468 wrote to memory of 4080	2468	ky6pw24.exe	113
PID 2468 wrote to memory of 4080	2468	ky6pw24.exe	113
PID 4080 wrote to memory of 4488	4080	5IE8Uc1.exe	114
PID 4080 wrote to memory of 4488	4080	5IE8Uc1.exe	114
PID 4080 wrote to memory of 4488	4080	5IE8Uc1.exe	114
PID 4080 wrote to memory of 4488	4080	5IE8Uc1.exe	114
PID 4080 wrote to memory of 4488	4080	5IE8Uc1.exe	114
PID 4080 wrote to memory of 4488	4080	5IE8Uc1.exe	114
PID 4080 wrote to memory of 4488	4080	5IE8Uc1.exe	114
PID 4080 wrote to memory of 4488	4080	5IE8Uc1.exe	114
PID 2452 wrote to memory of 900	2452	mG8fT66.exe	115
PID 2452 wrote to memory of 900	2452	mG8fT66.exe	115
PID 2452 wrote to memory of 900	2452	mG8fT66.exe	115
PID 900 wrote to memory of 216	900	6bh6Cw5.exe	116
PID 900 wrote to memory of 216	900	6bh6Cw5.exe	116
PID 900 wrote to memory of 216	900	6bh6Cw5.exe	116
PID 1312 wrote to memory of 3180	1312	0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307.exe	117
PID 1312 wrote to memory of 3180	1312	0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307.exe	117
PID 1312 wrote to memory of 3180	1312	0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307.exe	117
PID 216 wrote to memory of 2584	216	explothe.exe	118
PID 216 wrote to memory of 2584	216	explothe.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307.exe
"C:\Users\Admin\AppData\Local\Temp\0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mG8fT66.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mG8fT66.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ky6pw24.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ky6pw24.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SG2qT01.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SG2qT01.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1796
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WD0Ym65.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WD0Ym65.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wY5rb46.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wY5rb46.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1nm57LL6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1nm57LL6.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2iZ6010.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2iZ6010.exe
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ez67HI.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ez67HI.exe
        6⤵
        Executes dropped EXE
        
        PID:2460
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4nw003HR.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4nw003HR.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5IE8Uc1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5IE8Uc1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6bh6Cw5.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6bh6Cw5.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:1820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4332
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        6⤵
        
        PID:2684
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        6⤵
        
        PID:5056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2424
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        6⤵
        
        PID:4904
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        6⤵
        
        PID:2984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7DW1ip82.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7DW1ip82.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3180
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A9DC.tmp\A9DD.tmp\A9DE.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7DW1ip82.exe"
    3⤵
    PID:5004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:1956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:4244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regini "C:\Users\Admin\AppData\Roaming\random_1712053082.txt"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\regini.exe
  regini "C:\Users\Admin\AppData\Roaming\random_1712053082.txt"
  2⤵
  PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4064 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3484 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5172 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:2568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4632 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5864 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5988 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6312 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6472 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6620 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6752 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6312 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:4244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5472 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Users\Admin\AppData\Roaming\hjujaej
C:\Users\Admin\AppData\Roaming\hjujaej
1⤵
- Executes dropped EXE
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9DC.tmp\A9DD.tmp\A9DE.bat

Filesize
124B

MD5
dec89e5682445d71376896eac0d62d8b

SHA1
c5ae3197d3c2faf3dea137719c804ab215022ea6

SHA256
c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668

SHA512
b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7DW1ip82.exe

Filesize
45KB

MD5
427c855b28ea4e1245d274031042f0a2

SHA1
128a945f233c300ae48daa3410085d221fa84065

SHA256
a0783491406d02e73257b71102eb69e44c49f846760aeb46616e53b83e93d3dc

SHA512
8b91b7eae3cb66076d7c260f79909961f204862a081d4e856aadc19b54827bd59513de468b4e89be54505e70adb0180823998ddf46d1252749270a15e1c075d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mG8fT66.exe

Filesize
1.6MB

MD5
02943682e7b73612a7f97406a14640b4

SHA1
c406f0f9cc3b7c9346596d11ff7d461fbe6070c7

SHA256
bc1b23d2ec38fdfa851aa966dc542530876d98f0a2725c739d2d476d20f7c63b

SHA512
463d0a77b24563db2252acdf32ed26663031b9b6758a350d7746bc7b6d50bbfd8de26c6c101ee212368ece6f0e39ece7b23022fbbdd9aec4707c6176973eee63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6bh6Cw5.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ky6pw24.exe

Filesize
1.4MB

MD5
ddce791cfa2e2008e978cac09b3510d9

SHA1
71e9a491d518da172ab3f9368050805ebd7b46be

SHA256
73a7f687ac35b0acf146031d1a034fdb692ebafe231726e5570f7da79da220d5

SHA512
b01087e44c1a6437917cd456c7d4a4651706a525376ba4231a516b17d05595766a728948ec1af4657054c00b7da56aacfc4a8f1a9afa5efa41e98481b1edbe5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5IE8Uc1.exe

Filesize
1.1MB

MD5
2e29fd8e1f9753b8609229e8c6498b5a

SHA1
846b4a6ec73a8ae4fb4aaa8868ff416b9241b5d0

SHA256
7c245800aa8dddfbb4dc96cd9fd343eb17524380fa1a12c9b697dc3c366171f3

SHA512
7a1f08ea354c06d51ef6cb0fd902cc7de8c01d87df5df7ded29be8884620a60b932b020f4962537db835b8fcf236bceaae4281a7b79d9a7147ad1b4180e04dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SG2qT01.exe

Filesize
1.0MB

MD5
13b4cacfa50d12f88a4356b0ddb38eac

SHA1
5c45164dc52da48e48b0c28d2841a241c8793503

SHA256
4d6d19382a6e9d3bea5626cb5fe49cc6599ba3d5bb415d43734206c88a3c7242

SHA512
f3529ac18aefec85226f5dc2b70e55535e19c7b3b710f2ff417f197a8c38ec434cbb64ed63f3daf9183309bac43affddbd2ffbb4e5515e7fa1dbfa521bd12c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4nw003HR.exe

Filesize
897KB

MD5
09399db7182435119bf606bc50fe0932

SHA1
27d5eda6eda46404210c70528ef0ca2c8dee8555

SHA256
54dcaa3d30be3a08c0e1d9b7debc4f5b10712e7d109e28f1be985fedadfaa35d

SHA512
1fdb49ec44204a754f0e5af5ddfe2babedf056a17748387ff83b2130c37da58e6069951131926916cf162b8bdc14a621dfcb2633791f3d8ad643f9384a8dadf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WD0Ym65.exe

Filesize
688KB

MD5
1b0d934c8ff7beef1c6d7f333d1f1c38

SHA1
ad7dfbe0621e522992359ca7c7784c4bd2958d23

SHA256
dd92132447ea829d0f4e326ec3d8cab52f609482fd2837bb599b2e87236942a0

SHA512
b19eab6a84289d6365c30e3276f9fa2490811855a5f867375a1d46c5a61dda54ac54aaef371921050c9a21bf64a011c2e4271a9b3875ca95b2d410cfd046f47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ez67HI.exe

Filesize
180KB

MD5
0635bc911c5748d71a4aed170173481e

SHA1
6d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b

SHA256
a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1

SHA512
50ea5d41497884b8aee43d6d7940186d6095055c4cd301ffa88407caf9935853dcfd852e81ab4671da21505ba284b0bae71a59fa50dd55dfa4c3ea7d0251651a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wY5rb46.exe

Filesize
492KB

MD5
9fc3599c597c292568b9cb0f4123af2d

SHA1
72827396781efbec920d68b2c090688a1d738d28

SHA256
8dcfdb0c842119edb8145ad77c7a2d8934f475ad68c3329a1099f1ca724cbcbf

SHA512
b92faa280101ad111dab8ec1cb14ef37e15bec4858177d4544861f8f8955f72795d4c5f31304adad0eae2d1836f63be7a51b62b8a636401728e43d9358dfdd0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1nm57LL6.exe

Filesize
875KB

MD5
73d86751a127f28504b4239773c328be

SHA1
a7b5a37edc0841e9a269b827bb0bf28ae0d8c330

SHA256
e0923f519bbf0f9c43922d26954359eed1c352db6deda6e655f838a44d655030

SHA512
464df937ab7ed3a7af81f18d5238019b4268a78dfd8b9d0df6a459c5fd19dfa480c441ce2f20f8b63dcba806e6fc646beaa6b778b52fedee7077739634bad3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2iZ6010.exe

Filesize
265KB

MD5
15fe972bcfd9189d826083838645b850

SHA1
d2bf7fee68e358fa71b942b8ae92e483536abf86

SHA256
ec739f26f487bcc65718bb8c28a5e3adf817a18e01952bd888f618a57c1e61d4

SHA512
30f7c8daa78ba9bb32d5dca56440fd9b1d36336f496521920ab41737787c1c8e0bcdd714b72249e0ab52908d7918afcaf9e0b3f5ba2a8a2888e9adb538810cfe

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\hjujaej

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Roaming\random_1712053082.txt

Filesize
78B

MD5
2d245696c73134b0a9a2ac296ea7c170

SHA1
f234419d7a09920a46ad291b98d7dca5a11f0da8

SHA256
ed83e1f6850e48029654e9829cbf6e2cdff82f55f61d1449f822e448f75e8930

SHA512
af0b981ef20aa94aff080fbd2030556fe47c4cc563885b162e604f72bc70c4a0eee4ee57ce4ea8964e6363a32ba34f8bee933db30d3d61392c42299621a4fc79

Download Submit
memory/2404-46-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2404-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2404-66-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/3180-88-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3180-97-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3484-60-0x0000000002970000-0x0000000002986000-memory.dmp

Filesize
88KB

Download
memory/4488-91-0x0000000008450000-0x0000000008A68000-memory.dmp

Filesize
6.1MB

Download
memory/4488-95-0x0000000007650000-0x000000000769C000-memory.dmp

Filesize
304KB

Download
memory/4488-81-0x0000000007310000-0x000000000731A000-memory.dmp

Filesize
40KB

Download
memory/4488-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-102-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/4488-75-0x0000000007370000-0x0000000007402000-memory.dmp

Filesize
584KB

Download
memory/4488-71-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4488-92-0x00000000076E0000-0x00000000077EA000-memory.dmp

Filesize
1.0MB

Download
memory/4488-93-0x0000000007490000-0x00000000074A2000-memory.dmp

Filesize
72KB

Download
memory/4488-94-0x0000000007610000-0x000000000764C000-memory.dmp

Filesize
240KB

Download
memory/4488-76-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/4488-74-0x0000000007880000-0x0000000007E24000-memory.dmp

Filesize
5.6MB

Download
memory/4488-101-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4952-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4952-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download