amadey | 5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
20-05-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exe
Size

1.7MB
MD5

6b54d1ac562e3d828ff805785839250d
SHA1

ff9ec46cb61cbeae558ee32e0fffd8e9d016cc69
SHA256

5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178
SHA512

16fa91da3dfebc185ec5d1a39c805742972ec5d89afc35ab26e63cbbd9a9cbaa723f25fa5b3e64e2612c6cdf76acfb138248936551e525e8c4dcc816dc76ee73
SSDEEP

49152:kpxapbtRa+AYZvLOnFF5QvcxLCQLbMYjTEphl:Sap3pZiFF5MckQvNI

Score

10^/10

amadey risepro 18befc c767c0 evasion persistence stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

http://5.42.96.141

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplons.exeexplorku.exeamers.exeexplorku.exeaxplons.exe56c3b6c7d3.exe5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exeaxplons.exe5f2abc6e6f.exeexplorku.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amers.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	56c3b6c7d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5f2abc6e6f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exeexplorku.exeamers.exeexplorku.exeaxplons.exe5f2abc6e6f.exeaxplons.exeexplorku.exeaxplons.exe56c3b6c7d3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5f2abc6e6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	56c3b6c7d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5f2abc6e6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	56c3b6c7d3.exe

Executes dropped EXE 10 IoCs

Processes:

explorku.exeamers.exeaxplons.exeexplorku.exeaxplons.exe56c3b6c7d3.exe5f2abc6e6f.exeexplorku.exeaxplons.exeexplorku.exe

pid	process
952	explorku.exe
2788	amers.exe
4216	axplons.exe
1140	explorku.exe
1380	axplons.exe
1788	56c3b6c7d3.exe
4120	5f2abc6e6f.exe
1680	explorku.exe
1744	axplons.exe
2428	explorku.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

5f2abc6e6f.exeaxplons.exeamers.exeaxplons.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	5f2abc6e6f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	amers.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	axplons.exe

Themida packer 56 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1728-0-0x0000000000830000-0x0000000000D77000-memory.dmp	themida
behavioral2/memory/1728-1-0x0000000000830000-0x0000000000D77000-memory.dmp	themida
behavioral2/memory/1728-3-0x0000000000830000-0x0000000000D77000-memory.dmp	themida
behavioral2/memory/1728-6-0x0000000000830000-0x0000000000D77000-memory.dmp	themida
behavioral2/memory/1728-4-0x0000000000830000-0x0000000000D77000-memory.dmp	themida
behavioral2/memory/1728-5-0x0000000000830000-0x0000000000D77000-memory.dmp	themida
behavioral2/memory/1728-7-0x0000000000830000-0x0000000000D77000-memory.dmp	themida
behavioral2/memory/1728-2-0x0000000000830000-0x0000000000D77000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe	themida
behavioral2/memory/952-23-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/952-27-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/952-25-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/952-28-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/952-26-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/952-22-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/952-24-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/952-21-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1728-20-0x0000000000830000-0x0000000000D77000-memory.dmp	themida
behavioral2/memory/952-31-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/952-62-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/952-63-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1140-66-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1140-73-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1140-71-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1140-68-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1140-69-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1140-72-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1140-70-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1140-67-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1140-76-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\1000014001\56c3b6c7d3.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000014001\56c3b6c7d3.exe	themida
behavioral2/memory/1788-96-0x00000000000F0000-0x0000000000788000-memory.dmp	themida
behavioral2/memory/1788-99-0x00000000000F0000-0x0000000000788000-memory.dmp	themida
behavioral2/memory/1788-100-0x00000000000F0000-0x0000000000788000-memory.dmp	themida
behavioral2/memory/1788-101-0x00000000000F0000-0x0000000000788000-memory.dmp	themida
behavioral2/memory/1788-103-0x00000000000F0000-0x0000000000788000-memory.dmp	themida
behavioral2/memory/1788-104-0x00000000000F0000-0x0000000000788000-memory.dmp	themida
behavioral2/memory/1788-102-0x00000000000F0000-0x0000000000788000-memory.dmp	themida
behavioral2/memory/1788-98-0x00000000000F0000-0x0000000000788000-memory.dmp	themida
behavioral2/memory/1788-97-0x00000000000F0000-0x0000000000788000-memory.dmp	themida
behavioral2/memory/952-105-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1788-124-0x00000000000F0000-0x0000000000788000-memory.dmp	themida
behavioral2/memory/952-126-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1680-141-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1680-142-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1680-144-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1680-143-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1680-147-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1680-148-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1680-146-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1680-145-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/1680-151-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
behavioral2/memory/2428-173-0x00000000002F0000-0x0000000000837000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe	themida
behavioral2/memory/2428-184-0x00000000002F0000-0x0000000000837000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorku.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\56c3b6c7d3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\56c3b6c7d3.exe"	explorku.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

explorku.exe5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exeexplorku.exeexplorku.exe56c3b6c7d3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	56c3b6c7d3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

amers.exeaxplons.exeaxplons.exe5f2abc6e6f.exeaxplons.exe

pid process

2788 amers.exe
4216 axplons.exe
1380 axplons.exe
4120 5f2abc6e6f.exe
1744 axplons.exe

Drops file in Windows directory 2 IoCs

Processes:

5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exeamers.exe

description	ioc	process
File created	C:\Windows\Tasks\explorku.job	5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exe
File created	C:\Windows\Tasks\axplons.job	amers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

amers.exeaxplons.exeaxplons.exe5f2abc6e6f.exeaxplons.exe

pid	process
2788	amers.exe
2788	amers.exe
4216	axplons.exe
4216	axplons.exe
1380	axplons.exe
1380	axplons.exe
4120	5f2abc6e6f.exe
4120	5f2abc6e6f.exe
1744	axplons.exe
1744	axplons.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exeexplorku.exeamers.exe

description	pid	process	target process
PID 1728 wrote to memory of 952	1728	5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exe	explorku.exe
PID 1728 wrote to memory of 952	1728	5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exe	explorku.exe
PID 1728 wrote to memory of 952	1728	5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exe	explorku.exe
PID 952 wrote to memory of 2256	952	explorku.exe	explorku.exe
PID 952 wrote to memory of 2256	952	explorku.exe	explorku.exe
PID 952 wrote to memory of 2256	952	explorku.exe	explorku.exe
PID 952 wrote to memory of 2788	952	explorku.exe	amers.exe
PID 952 wrote to memory of 2788	952	explorku.exe	amers.exe
PID 952 wrote to memory of 2788	952	explorku.exe	amers.exe
PID 2788 wrote to memory of 4216	2788	amers.exe	axplons.exe
PID 2788 wrote to memory of 4216	2788	amers.exe	axplons.exe
PID 2788 wrote to memory of 4216	2788	amers.exe	axplons.exe
PID 952 wrote to memory of 1788	952	explorku.exe	56c3b6c7d3.exe
PID 952 wrote to memory of 1788	952	explorku.exe	56c3b6c7d3.exe
PID 952 wrote to memory of 1788	952	explorku.exe	56c3b6c7d3.exe
PID 952 wrote to memory of 4120	952	explorku.exe	5f2abc6e6f.exe
PID 952 wrote to memory of 4120	952	explorku.exe	5f2abc6e6f.exe
PID 952 wrote to memory of 4120	952	explorku.exe	5f2abc6e6f.exe

C:\Users\Admin\AppData\Local\Temp\5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exe
"C:\Users\Admin\AppData\Local\Temp\5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
3⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4216

C:\Users\Admin\AppData\Local\Temp\1000014001\56c3b6c7d3.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\56c3b6c7d3.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1788

C:\Users\Admin\1000017002\5f2abc6e6f.exe
"C:\Users\Admin\1000017002\5f2abc6e6f.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4120

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1140

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1380

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1680

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
Filesize
1.9MB

MD5
b6d641ee02348c20b4c0676d5badc144

SHA1
4bf74798147eaa4d878b6f01b20cdb304c3a064b

SHA256
41bc9693ba0c0ac3cf11ae6f362ecb048e7ca867211fc797c8ef827840ac0b03

SHA512
5784fc5dbd70cbae270da430b33ec7c06a610aef4b4552b5a1bc3a36059ee5d228c2db4df9c1bc400746409350824323e7bcb5adb8fb5de6dd52a46a1dd935b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\56c3b6c7d3.exe
Filesize
1.2MB

MD5
600314ed59588b74cda2e69a18beecf3

SHA1
1bc106daeb17f321766a31f8b062e131f30c20e9

SHA256
adf62b67774db7c1256ffb8537847ea44e13b0a836cea61ef0a3c9df722a0450

SHA512
ebf7487bf6052e5c236397a8c731d2871bb843f7a93e4ed4b6a51aad61ef8c0447b0cac9d8bf5e0aa669f0f1f467455ea7f0972302a65943f74b1fbc95bc2f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\56c3b6c7d3.exe
Filesize
2.2MB

MD5
9b32b914d7200c765725f38faaef614e

SHA1
fb030a51a4abcaa9425094c1535f049b4799382a

SHA256
cefd981172ad4b10b6876f8712cd43ae52692112d4c1259bf6b6e461bc8a2d5b

SHA512
c63486ded6301b690a14fa073b216e935d32d71556d7a6ffb977bedce16c83d8390415f6b8620222ffe4bbbee7b866debc954364726e48f644cc6bbfb18fd358

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
Filesize
13KB

MD5
215552ad1f69a03af3df7fcbaeaa1024

SHA1
7dda882ef204cd88517467f1698491ca697040d8

SHA256
3956d121404450f2b0e3464d36ff33dad47e51b1ac6242b5acbdd5c0efa159a0

SHA512
6fd0bfbe60d530f0708d4b5f9ef5af3fb9fccf06aef0587bd2148ca0dad1b7fd2727690b4ff3a3eadd0d7c0c1f482c356d2ca17fa248723287c763957c094af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
Filesize
1.7MB

MD5
6b54d1ac562e3d828ff805785839250d

SHA1
ff9ec46cb61cbeae558ee32e0fffd8e9d016cc69

SHA256
5978b200fe6a0bbb18e25ce3ea4c74a2b1e872e94d80ea6831ca234ff2bfc178

SHA512
16fa91da3dfebc185ec5d1a39c805742972ec5d89afc35ab26e63cbbd9a9cbaa723f25fa5b3e64e2612c6cdf76acfb138248936551e525e8c4dcc816dc76ee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
Filesize
175KB

MD5
157015e46969912dad33d82201261b54

SHA1
c67585d702a1696bfd7297332db1fa551ee83030

SHA256
a181bbbe92b8972fa5931e9c753bc5aeace13d76899425db09ef34ae73fc6af6

SHA512
59281b3bf543bcd54d4626a1b6a60eaee11948584659676782666fe7a186a63d58b6a2c420283c60d217935d4da545ef8115c66a101b63c296d361a011a04a9b

Download Submit
memory/952-31-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/952-126-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/952-25-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/952-105-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/952-27-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/952-23-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/952-28-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/952-26-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/952-22-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/952-24-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/952-21-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/952-63-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/952-62-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1140-69-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1140-71-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1140-76-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1140-67-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1140-70-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1140-72-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1140-68-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1140-66-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1140-73-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1380-75-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/1380-77-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/1680-146-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1680-151-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1680-143-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1680-147-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1680-145-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1680-148-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1680-144-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1680-141-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1680-142-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/1728-1-0x0000000000830000-0x0000000000D77000-memory.dmp

Filesize
5.3MB

Download
memory/1728-6-0x0000000000830000-0x0000000000D77000-memory.dmp

Filesize
5.3MB

Download
memory/1728-2-0x0000000000830000-0x0000000000D77000-memory.dmp

Filesize
5.3MB

Download
memory/1728-7-0x0000000000830000-0x0000000000D77000-memory.dmp

Filesize
5.3MB

Download
memory/1728-20-0x0000000000830000-0x0000000000D77000-memory.dmp

Filesize
5.3MB

Download
memory/1728-0-0x0000000000830000-0x0000000000D77000-memory.dmp

Filesize
5.3MB

Download
memory/1728-5-0x0000000000830000-0x0000000000D77000-memory.dmp

Filesize
5.3MB

Download
memory/1728-3-0x0000000000830000-0x0000000000D77000-memory.dmp

Filesize
5.3MB

Download
memory/1728-4-0x0000000000830000-0x0000000000D77000-memory.dmp

Filesize
5.3MB

Download
memory/1744-153-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/1744-150-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/1788-102-0x00000000000F0000-0x0000000000788000-memory.dmp

Filesize
6.6MB

Download
memory/1788-101-0x00000000000F0000-0x0000000000788000-memory.dmp

Filesize
6.6MB

Download
memory/1788-124-0x00000000000F0000-0x0000000000788000-memory.dmp

Filesize
6.6MB

Download
memory/1788-97-0x00000000000F0000-0x0000000000788000-memory.dmp

Filesize
6.6MB

Download
memory/1788-98-0x00000000000F0000-0x0000000000788000-memory.dmp

Filesize
6.6MB

Download
memory/1788-96-0x00000000000F0000-0x0000000000788000-memory.dmp

Filesize
6.6MB

Download
memory/1788-104-0x00000000000F0000-0x0000000000788000-memory.dmp

Filesize
6.6MB

Download
memory/1788-100-0x00000000000F0000-0x0000000000788000-memory.dmp

Filesize
6.6MB

Download
memory/1788-99-0x00000000000F0000-0x0000000000788000-memory.dmp

Filesize
6.6MB

Download
memory/1788-103-0x00000000000F0000-0x0000000000788000-memory.dmp

Filesize
6.6MB

Download
memory/2428-173-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/2428-184-0x00000000002F0000-0x0000000000837000-memory.dmp

Filesize
5.3MB

Download
memory/2788-61-0x0000000000A80000-0x0000000000F50000-memory.dmp

Filesize
4.8MB

Download
memory/2788-47-0x0000000000A80000-0x0000000000F50000-memory.dmp

Filesize
4.8MB

Download
memory/2788-48-0x0000000076FE6000-0x0000000076FE8000-memory.dmp

Filesize
8KB

Download
memory/3992-186-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/3992-182-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/4120-123-0x0000000000840000-0x0000000000D10000-memory.dmp

Filesize
4.8MB

Download
memory/4120-122-0x0000000000840000-0x0000000000D10000-memory.dmp

Filesize
4.8MB

Download
memory/4216-130-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/4216-125-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/4216-106-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/4216-64-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/4216-127-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/4216-139-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/4216-133-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download
memory/4216-135-0x00000000006E0000-0x0000000000BB0000-memory.dmp

Filesize
4.8MB

Download