amadey | 4d79cda714ec0273d7fdcb1ad6b1116e9a1770f1eda03487cdd4d47b2b851b66

Analysis

max time kernel
163s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e.exe
Size

1.5MB
MD5

b8a26d9c386ec312fd8470f0b728873d
SHA1

7fa5f682d9366c13c1ebfccd8b6c4ab4335ecc88
SHA256

457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e
SHA512

722d78ff2e3a77030c50b268c84e77339d86044f0c7eae20470d232f14d65c1a58a92889b9eeaa97908d65907d934ffbdda81a2f505ff3309a61b63540e18ee8
SSDEEP

24576:myab630MZL5fUEHJspwjRtFwMccpgrCp0tu69yL0FnhVQyNZQ:1abEdZ9fnp44TfcLAevQyNZ

Score

10^/10

amadey mystic redline smokeloader homed backdoor evasion infostealer persistence stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

homed

109.107.182.133:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023260-37.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3644-52-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	6Tj9qG2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	5Bu5nb8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 14 IoCs

pid	Process
4136	yR0rS90.exe
1692	cz2ma34.exe
2692	nJ5uI86.exe
3504	NP2Fo34.exe
3016	1ei47FO5.exe
4908	2xf6670.exe
3244	3Sc60zr.exe
3772	4UQ856Vq.exe
1376	5Bu5nb8.exe
4364	explothe.exe
3812	6Tj9qG2.exe
4036	explothe.exe
208	explothe.exe
3652	vcrgwiu

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000022d20-76.dat	upx
behavioral1/memory/3812-78-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3812-82-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	NP2Fo34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yR0rS90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	cz2ma34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	nJ5uI86.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3016 set thread context of 1536	3016	1ei47FO5.exe	100
PID 3244 set thread context of 5100	3244	3Sc60zr.exe	104
PID 3772 set thread context of 3644	3772	4UQ856Vq.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4808	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{49F6530E-A7AC-4778-AA6C-A72772767CC5}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5100	AppLaunch.exe
5100	AppLaunch.exe
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5100	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	AppLaunch.exe
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3164	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 4136	4716	457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e.exe	95
PID 4716 wrote to memory of 4136	4716	457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e.exe	95
PID 4716 wrote to memory of 4136	4716	457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e.exe	95
PID 4136 wrote to memory of 1692	4136	yR0rS90.exe	96
PID 4136 wrote to memory of 1692	4136	yR0rS90.exe	96
PID 4136 wrote to memory of 1692	4136	yR0rS90.exe	96
PID 1692 wrote to memory of 2692	1692	cz2ma34.exe	97
PID 1692 wrote to memory of 2692	1692	cz2ma34.exe	97
PID 1692 wrote to memory of 2692	1692	cz2ma34.exe	97
PID 2692 wrote to memory of 3504	2692	nJ5uI86.exe	98
PID 2692 wrote to memory of 3504	2692	nJ5uI86.exe	98
PID 2692 wrote to memory of 3504	2692	nJ5uI86.exe	98
PID 3504 wrote to memory of 3016	3504	NP2Fo34.exe	99
PID 3504 wrote to memory of 3016	3504	NP2Fo34.exe	99
PID 3504 wrote to memory of 3016	3504	NP2Fo34.exe	99
PID 3016 wrote to memory of 1536	3016	1ei47FO5.exe	100
PID 3016 wrote to memory of 1536	3016	1ei47FO5.exe	100
PID 3016 wrote to memory of 1536	3016	1ei47FO5.exe	100
PID 3016 wrote to memory of 1536	3016	1ei47FO5.exe	100
PID 3016 wrote to memory of 1536	3016	1ei47FO5.exe	100
PID 3016 wrote to memory of 1536	3016	1ei47FO5.exe	100
PID 3016 wrote to memory of 1536	3016	1ei47FO5.exe	100
PID 3016 wrote to memory of 1536	3016	1ei47FO5.exe	100
PID 3504 wrote to memory of 4908	3504	NP2Fo34.exe	101
PID 3504 wrote to memory of 4908	3504	NP2Fo34.exe	101
PID 3504 wrote to memory of 4908	3504	NP2Fo34.exe	101
PID 2692 wrote to memory of 3244	2692	nJ5uI86.exe	102
PID 2692 wrote to memory of 3244	2692	nJ5uI86.exe	102
PID 2692 wrote to memory of 3244	2692	nJ5uI86.exe	102
PID 3244 wrote to memory of 4532	3244	3Sc60zr.exe	103
PID 3244 wrote to memory of 4532	3244	3Sc60zr.exe	103
PID 3244 wrote to memory of 4532	3244	3Sc60zr.exe	103
PID 3244 wrote to memory of 5100	3244	3Sc60zr.exe	104
PID 3244 wrote to memory of 5100	3244	3Sc60zr.exe	104
PID 3244 wrote to memory of 5100	3244	3Sc60zr.exe	104
PID 3244 wrote to memory of 5100	3244	3Sc60zr.exe	104
PID 3244 wrote to memory of 5100	3244	3Sc60zr.exe	104
PID 3244 wrote to memory of 5100	3244	3Sc60zr.exe	104
PID 1692 wrote to memory of 3772	1692	cz2ma34.exe	105
PID 1692 wrote to memory of 3772	1692	cz2ma34.exe	105
PID 1692 wrote to memory of 3772	1692	cz2ma34.exe	105
PID 3772 wrote to memory of 2272	3772	4UQ856Vq.exe	108
PID 3772 wrote to memory of 2272	3772	4UQ856Vq.exe	108
PID 3772 wrote to memory of 2272	3772	4UQ856Vq.exe	108
PID 3772 wrote to memory of 3644	3772	4UQ856Vq.exe	109
PID 3772 wrote to memory of 3644	3772	4UQ856Vq.exe	109
PID 3772 wrote to memory of 3644	3772	4UQ856Vq.exe	109
PID 3772 wrote to memory of 3644	3772	4UQ856Vq.exe	109
PID 3772 wrote to memory of 3644	3772	4UQ856Vq.exe	109
PID 3772 wrote to memory of 3644	3772	4UQ856Vq.exe	109
PID 3772 wrote to memory of 3644	3772	4UQ856Vq.exe	109
PID 3772 wrote to memory of 3644	3772	4UQ856Vq.exe	109
PID 4136 wrote to memory of 1376	4136	yR0rS90.exe	110
PID 4136 wrote to memory of 1376	4136	yR0rS90.exe	110
PID 4136 wrote to memory of 1376	4136	yR0rS90.exe	110
PID 1376 wrote to memory of 4364	1376	5Bu5nb8.exe	112
PID 1376 wrote to memory of 4364	1376	5Bu5nb8.exe	112
PID 1376 wrote to memory of 4364	1376	5Bu5nb8.exe	112
PID 4716 wrote to memory of 3812	4716	457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e.exe	113
PID 4716 wrote to memory of 3812	4716	457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e.exe	113
PID 4716 wrote to memory of 3812	4716	457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e.exe	113
PID 4364 wrote to memory of 4808	4364	explothe.exe	114
PID 4364 wrote to memory of 4808	4364	explothe.exe	114
PID 4364 wrote to memory of 4808	4364	explothe.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e.exe
"C:\Users\Admin\AppData\Local\Temp\457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yR0rS90.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yR0rS90.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cz2ma34.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cz2ma34.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nJ5uI86.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nJ5uI86.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\NP2Fo34.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\NP2Fo34.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ei47FO5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ei47FO5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xf6670.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xf6670.exe
        6⤵
        Executes dropped EXE
        
        PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Sc60zr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Sc60zr.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3244
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4532
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4UQ856Vq.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4UQ856Vq.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3772
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2272
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3644
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Bu5nb8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Bu5nb8.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4808
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:2084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3884
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        6⤵
        
        PID:4668
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        6⤵
        
        PID:3836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3008
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        6⤵
        
        PID:2448
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        6⤵
        
        PID:4108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tj9qG2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tj9qG2.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3812
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E961.tmp\E962.tmp\E963.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tj9qG2.exe"
    3⤵
    PID:3720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:2464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:2696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:3804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4712 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5740 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5876 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5676 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5488 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6248 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6420 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6536 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6476 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:3804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6740 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:208

C:\Users\Admin\AppData\Roaming\vcrgwiu
C:\Users\Admin\AppData\Roaming\vcrgwiu
1⤵
- Executes dropped EXE
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E961.tmp\E962.tmp\E963.bat

Filesize
124B

MD5
dec89e5682445d71376896eac0d62d8b

SHA1
c5ae3197d3c2faf3dea137719c804ab215022ea6

SHA256
c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668

SHA512
b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tj9qG2.exe

Filesize
45KB

MD5
3e1db5a81d291b1fe024f4c86c26b98d

SHA1
342de6d9fab3c85aa6b3f20f104dcd34845f32d0

SHA256
6c1bada4bd7e760026fa1d36e7028ee36de55d3afe9c9b631537ae4f931391fc

SHA512
a049d28b935080609ee0b3a58c2a6e37f615bb5195ca3e77b2019093970e21b99c6c3bb0e622cd1dfa61c4244078a8ce29d4d2ffa98f8475b960b5287fb5e0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yR0rS90.exe

Filesize
1.4MB

MD5
35c2fb3a3c860b9f76acd792adbff057

SHA1
acbb098873a2c46efa35eb25f7c193bcb1f0c90c

SHA256
662d229dc3f089e6ff44b630d1cb101adbc706b2fff1f58f5b1a9d7d5654a53f

SHA512
d5ae8eebfee094e794fd083fcd4beeab10f9e662041e0ac0f52f8709551de9448c1cbe3e8f11cfad86d4752a79f63cf0bb1dfd1bfb9d8ef34b5c35eaf6cd4f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Bu5nb8.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cz2ma34.exe

Filesize
1.2MB

MD5
3da1d31bfeb550de5d9feda578a36fcd

SHA1
80e99b978f6acd12aa3cfc67d8ac6df7da4d32d6

SHA256
5a8a0b340354f36382ebe079dcaa96928d0cac4ebab8a67949cbed73dceb93d0

SHA512
3cdb6ce8a24951b9b5a0be566f0478a80af6ba4ad195f4fdaca0f9f6f25d3c707d41a69404a85406d6fb18a7fbb2c06624c17e8c7a55076ef1ce73569242f9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4UQ856Vq.exe

Filesize
1.1MB

MD5
408142150615ac9ec9fffa52a667cab7

SHA1
58e136f41fc5b754b0372e34679f41b4ca931fd9

SHA256
693bede9cea5901b6b60bbf4d78c08d00bc9b3a3c06a431f86a3f96f569260a8

SHA512
5e28bdbbacc34bcddf37df672fcbfc85f7b165e4eabf2b63fbb0b3eeaf923b6819c9272962835d0af8c6b83ebff9263ecdfc2a42b27624a2c1097fdd323396da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nJ5uI86.exe

Filesize
819KB

MD5
69fb3b64e2c03370d349df94b925cdbe

SHA1
245f12d9f976c61525cd3e07e07e1eec05760be8

SHA256
667f36cce8a195f774691764be989aa928f2b46d0784a5391a52db6194493840

SHA512
c7bcd2827a07da66cf11734fbd94cd6331ad29bb585306c7a13b1eb9be81a30aebd9e3ef8f459dd7168394e85acd181287080822ab7af0ce0efd12ac0f4285bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Sc60zr.exe

Filesize
897KB

MD5
2e3f17e7e9001ff7b7cf8ab412462a48

SHA1
2a49c0e715ecd73ccd9d0fcfb21de36cc3ee03ba

SHA256
674e07c8188ea9be50a002c9850c7704541b44b35adc7528216dc73dd4a531b8

SHA512
d42e8a4801f1c73733b37efb5ae17f321bd5463829ab9283566f38882624e284ff4c7c53b212c35ca53f9de825625a455393012ffbdc0e4caebd178fc716ee27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\NP2Fo34.exe

Filesize
458KB

MD5
b80b7d29f16f409c10f5737f1c84c48e

SHA1
2d4f496281f93e18b5e89a362b1aad6cc5dc7909

SHA256
6cd448d69295644625810e1127ca819670c33846c8e705f66a4298442ed2e3d0

SHA512
de0a8ffae8fcb8d44effb4d3d84e689ed21cab10f98ac6ce8d5a56785b25df006dd12e1b26919f6c8105b452a882b0502c1d540c30fcb7764fce204e35c58ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ei47FO5.exe

Filesize
875KB

MD5
73d86751a127f28504b4239773c328be

SHA1
a7b5a37edc0841e9a269b827bb0bf28ae0d8c330

SHA256
e0923f519bbf0f9c43922d26954359eed1c352db6deda6e655f838a44d655030

SHA512
464df937ab7ed3a7af81f18d5238019b4268a78dfd8b9d0df6a459c5fd19dfa480c441ce2f20f8b63dcba806e6fc646beaa6b778b52fedee7077739634bad3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xf6670.exe

Filesize
180KB

MD5
0635bc911c5748d71a4aed170173481e

SHA1
6d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b

SHA256
a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1

SHA512
50ea5d41497884b8aee43d6d7940186d6095055c4cd301ffa88407caf9935853dcfd852e81ab4671da21505ba284b0bae71a59fa50dd55dfa4c3ea7d0251651a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\vcrgwiu

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
memory/1536-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1536-47-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/1536-68-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/3164-48-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3644-91-0x0000000007F90000-0x0000000007FDC000-memory.dmp

Filesize
304KB

Download
memory/3644-89-0x0000000007DF0000-0x0000000007E02000-memory.dmp

Filesize
72KB

Download
memory/3644-57-0x00000000081E0000-0x0000000008784000-memory.dmp

Filesize
5.6MB

Download
memory/3644-66-0x0000000007DC0000-0x0000000007DCA000-memory.dmp

Filesize
40KB

Download
memory/3644-52-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3644-60-0x0000000007D10000-0x0000000007DA2000-memory.dmp

Filesize
584KB

Download
memory/3644-90-0x0000000007E50000-0x0000000007E8C000-memory.dmp

Filesize
240KB

Download
memory/3644-61-0x0000000007E90000-0x0000000007EA0000-memory.dmp

Filesize
64KB

Download
memory/3644-81-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/3644-53-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/3644-86-0x0000000008DB0000-0x00000000093C8000-memory.dmp

Filesize
6.1MB

Download
memory/3644-87-0x0000000007E90000-0x0000000007EA0000-memory.dmp

Filesize
64KB

Download
memory/3644-88-0x00000000089A0000-0x0000000008AAA000-memory.dmp

Filesize
1.0MB

Download
memory/3812-82-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3812-78-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5100-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5100-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5100-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download