amadey | 8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe
Size

1.4MB
MD5

765269c9a1ce5e07ed722e4dc399903e
SHA1

2ac7ccffbcc8b3ba9356530dc3f39602ac73a08f
SHA256

f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a
SHA512

10d029f8bb12c86e10f24a82f40de263990ae482daba9f5832d5a241affb3b83eeb3334f2ae6a89a0d3e20375666e77d06d0f71ab31171bc739eca86033e8177
SSDEEP

24576:Yy5JBuqqev8GvUk7jT755577FaovivYSM5rJaf8VZ9+Xq8DTFfdOuBbvS+ashD:f5JBsev8Gv9nxYotVJtVSvhdO8p

Score

10^/10

amadey mystic redline smokeloader 04d170 grome backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral19/memory/5032-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral19/memory/5032-40-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral19/memory/5032-42-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ft4OK5.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral19/memory/2988-51-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5VO4Af9.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	5VO4Af9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 13 IoCs

Processes:

xx5PY70.exett4vL61.exeMc7aA33.exeIn6AX00.exe1pQ78ST5.exe2vH3769.exe3eU59rb.exe4Lp952Pp.exe5VO4Af9.exeexplothe.exe6ft4OK5.exeexplothe.exeexplothe.exe

pid	process
5004	xx5PY70.exe
2476	tt4vL61.exe
2124	Mc7aA33.exe
1620	In6AX00.exe
4920	1pQ78ST5.exe
4660	2vH3769.exe
4532	3eU59rb.exe
2656	4Lp952Pp.exe
1612	5VO4Af9.exe
232	explothe.exe
1304	6ft4OK5.exe
3088	explothe.exe
3820	explothe.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exexx5PY70.exett4vL61.exeMc7aA33.exeIn6AX00.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xx5PY70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tt4vL61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Mc7aA33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	In6AX00.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1pQ78ST5.exe2vH3769.exe4Lp952Pp.exe

description	pid	process	target process
PID 4920 set thread context of 1408	4920	1pQ78ST5.exe	AppLaunch.exe
PID 4660 set thread context of 5032	4660	2vH3769.exe	AppLaunch.exe
PID 2656 set thread context of 2988	2656	4Lp952Pp.exe	AppLaunch.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1304 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1304	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3eU59rb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3eU59rb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3eU59rb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3eU59rb.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4468 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

AppLaunch.exe

pid process

1408 AppLaunch.exe
1408 AppLaunch.exe
1408 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1408 AppLaunch.exe

pid	process
4468	schtasks.exe

pid	process
1408	AppLaunch.exe
1408	AppLaunch.exe
1408	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1408	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exexx5PY70.exett4vL61.exeMc7aA33.exeIn6AX00.exe1pQ78ST5.exe2vH3769.exe4Lp952Pp.exe5VO4Af9.exeexplothe.exe

description	pid	process	target process
PID 2664 wrote to memory of 5004	2664	f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe	xx5PY70.exe
PID 2664 wrote to memory of 5004	2664	f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe	xx5PY70.exe
PID 2664 wrote to memory of 5004	2664	f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe	xx5PY70.exe
PID 5004 wrote to memory of 2476	5004	xx5PY70.exe	tt4vL61.exe
PID 5004 wrote to memory of 2476	5004	xx5PY70.exe	tt4vL61.exe
PID 5004 wrote to memory of 2476	5004	xx5PY70.exe	tt4vL61.exe
PID 2476 wrote to memory of 2124	2476	tt4vL61.exe	Mc7aA33.exe
PID 2476 wrote to memory of 2124	2476	tt4vL61.exe	Mc7aA33.exe
PID 2476 wrote to memory of 2124	2476	tt4vL61.exe	Mc7aA33.exe
PID 2124 wrote to memory of 1620	2124	Mc7aA33.exe	In6AX00.exe
PID 2124 wrote to memory of 1620	2124	Mc7aA33.exe	In6AX00.exe
PID 2124 wrote to memory of 1620	2124	Mc7aA33.exe	In6AX00.exe
PID 1620 wrote to memory of 4920	1620	In6AX00.exe	1pQ78ST5.exe
PID 1620 wrote to memory of 4920	1620	In6AX00.exe	1pQ78ST5.exe
PID 1620 wrote to memory of 4920	1620	In6AX00.exe	1pQ78ST5.exe
PID 4920 wrote to memory of 1408	4920	1pQ78ST5.exe	AppLaunch.exe
PID 4920 wrote to memory of 1408	4920	1pQ78ST5.exe	AppLaunch.exe
PID 4920 wrote to memory of 1408	4920	1pQ78ST5.exe	AppLaunch.exe
PID 4920 wrote to memory of 1408	4920	1pQ78ST5.exe	AppLaunch.exe
PID 4920 wrote to memory of 1408	4920	1pQ78ST5.exe	AppLaunch.exe
PID 4920 wrote to memory of 1408	4920	1pQ78ST5.exe	AppLaunch.exe
PID 4920 wrote to memory of 1408	4920	1pQ78ST5.exe	AppLaunch.exe
PID 4920 wrote to memory of 1408	4920	1pQ78ST5.exe	AppLaunch.exe
PID 1620 wrote to memory of 4660	1620	In6AX00.exe	2vH3769.exe
PID 1620 wrote to memory of 4660	1620	In6AX00.exe	2vH3769.exe
PID 1620 wrote to memory of 4660	1620	In6AX00.exe	2vH3769.exe
PID 4660 wrote to memory of 5032	4660	2vH3769.exe	AppLaunch.exe
PID 4660 wrote to memory of 5032	4660	2vH3769.exe	AppLaunch.exe
PID 4660 wrote to memory of 5032	4660	2vH3769.exe	AppLaunch.exe
PID 4660 wrote to memory of 5032	4660	2vH3769.exe	AppLaunch.exe
PID 4660 wrote to memory of 5032	4660	2vH3769.exe	AppLaunch.exe
PID 4660 wrote to memory of 5032	4660	2vH3769.exe	AppLaunch.exe
PID 4660 wrote to memory of 5032	4660	2vH3769.exe	AppLaunch.exe
PID 4660 wrote to memory of 5032	4660	2vH3769.exe	AppLaunch.exe
PID 4660 wrote to memory of 5032	4660	2vH3769.exe	AppLaunch.exe
PID 4660 wrote to memory of 5032	4660	2vH3769.exe	AppLaunch.exe
PID 2124 wrote to memory of 4532	2124	Mc7aA33.exe	3eU59rb.exe
PID 2124 wrote to memory of 4532	2124	Mc7aA33.exe	3eU59rb.exe
PID 2124 wrote to memory of 4532	2124	Mc7aA33.exe	3eU59rb.exe
PID 2476 wrote to memory of 2656	2476	tt4vL61.exe	4Lp952Pp.exe
PID 2476 wrote to memory of 2656	2476	tt4vL61.exe	4Lp952Pp.exe
PID 2476 wrote to memory of 2656	2476	tt4vL61.exe	4Lp952Pp.exe
PID 2656 wrote to memory of 2988	2656	4Lp952Pp.exe	AppLaunch.exe
PID 2656 wrote to memory of 2988	2656	4Lp952Pp.exe	AppLaunch.exe
PID 2656 wrote to memory of 2988	2656	4Lp952Pp.exe	AppLaunch.exe
PID 2656 wrote to memory of 2988	2656	4Lp952Pp.exe	AppLaunch.exe
PID 2656 wrote to memory of 2988	2656	4Lp952Pp.exe	AppLaunch.exe
PID 2656 wrote to memory of 2988	2656	4Lp952Pp.exe	AppLaunch.exe
PID 2656 wrote to memory of 2988	2656	4Lp952Pp.exe	AppLaunch.exe
PID 2656 wrote to memory of 2988	2656	4Lp952Pp.exe	AppLaunch.exe
PID 5004 wrote to memory of 1612	5004	xx5PY70.exe	5VO4Af9.exe
PID 5004 wrote to memory of 1612	5004	xx5PY70.exe	5VO4Af9.exe
PID 5004 wrote to memory of 1612	5004	xx5PY70.exe	5VO4Af9.exe
PID 1612 wrote to memory of 232	1612	5VO4Af9.exe	explothe.exe
PID 1612 wrote to memory of 232	1612	5VO4Af9.exe	explothe.exe
PID 1612 wrote to memory of 232	1612	5VO4Af9.exe	explothe.exe
PID 2664 wrote to memory of 1304	2664	f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe	6ft4OK5.exe
PID 2664 wrote to memory of 1304	2664	f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe	6ft4OK5.exe
PID 2664 wrote to memory of 1304	2664	f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe	6ft4OK5.exe
PID 232 wrote to memory of 4468	232	explothe.exe	schtasks.exe
PID 232 wrote to memory of 4468	232	explothe.exe	schtasks.exe
PID 232 wrote to memory of 4468	232	explothe.exe	schtasks.exe
PID 232 wrote to memory of 1488	232	explothe.exe	cmd.exe
PID 232 wrote to memory of 1488	232	explothe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe
"C:\Users\Admin\AppData\Local\Temp\f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xx5PY70.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xx5PY70.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tt4vL61.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tt4vL61.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mc7aA33.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mc7aA33.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\In6AX00.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\In6AX00.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pQ78ST5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pQ78ST5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vH3769.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vH3769.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5032
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3eU59rb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3eU59rb.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Lp952Pp.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Lp952Pp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5VO4Af9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5VO4Af9.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4468
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:1488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4092
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        6⤵
        
        PID:2260
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        6⤵
        
        PID:2808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3656
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        6⤵
        
        PID:4896
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        6⤵
        
        PID:1260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ft4OK5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ft4OK5.exe
  2⤵
  - Executes dropped EXE
  PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4136,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:8
1⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1304

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ft4OK5.exe

Filesize
183KB

MD5
1e57c2a7b987ae92dc21c50746b37063

SHA1
a07d908ac7deac366e385d34f68be772b43d37d2

SHA256
2249197c31828fc399259ec0264df1eec433a0294253b121616c265b9bcb198b

SHA512
6a9b2b2539cccb4cfd5f34fc14d0affd2fd07ed3ccdd77070558220e376fee0a6d5b6a7729fcd6d66479c15a27f4855b138b1a20c1b4ac29bac6d5d038e0b024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xx5PY70.exe

Filesize
1.2MB

MD5
e0be10a970dd14a2b36f2a78ec016e77

SHA1
02d5e7a9848fee617e050e0e084a29a46b4a7753

SHA256
ec14ebb568f1b427ca18c55a3ded58e7ece7fc04dfdf52f943b261462ef09d7f

SHA512
71d2fe30c63ee6b970ada325d1e625be3f651bd62e135e8ee534f68c7804f70dbeb845c65dc9265b884e397de149b571d10ee09c675669655a6b51f56aafa32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5VO4Af9.exe

Filesize
220KB

MD5
267aebc6b564cd5af7176af505128ff2

SHA1
96f7ddd98321e73ebb335c78c18628c741b53e2a

SHA256
f5aa7480889a53eca382a8947c97744fe962f85b9c7bd459bb60303f0aa3078e

SHA512
02814af6d3a642a6766f5a2f73ccf31d009136ef0293918295d2225997ae2591a37b58937493ec9ddc444b07c0d5897aaa46a3cec1376de0cc951a874c5e005b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tt4vL61.exe

Filesize
1.0MB

MD5
2076fb09414ce6b15a91abac6b9d713d

SHA1
86ed72e68643b4e01858963e6629f57d496e457e

SHA256
d2d765359eea2bf052f66dbfa72d09d07d9c25706ab8b7aaede6d7ba2c0b950e

SHA512
b93d77e74115cfb17c41722eb4b57518fdd7ef823a3a49add5dcbf36baddab28680eebae52d4a011ee8061b08e3f576257ab1700cee798e19519bcc1311c8625

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Lp952Pp.exe

Filesize
1.1MB

MD5
d39396a7641565604dd201364366363f

SHA1
6e6b19540ef9fd1915979b0341783d75f0d0f636

SHA256
a6a915a0a1028bc8cea33ad7833c2272e0ea338af665c1a7b482694f559575d8

SHA512
cdf8e08f1f303b46a9e0cae370b0175984e0cfa306540769a3650dad17b4c738c20f96ea54f6994dbad8d9ea7bb40770ddc818ad96e9f1b69a91dd11ebe4027a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mc7aA33.exe

Filesize
649KB

MD5
229764350bd0f115b9300418e2818442

SHA1
10c0666dacd0df74247a192fbd8118e42f1ab59d

SHA256
1a8dcb10952146e24b7a3a8777f2aca61a4651d05289bcce5663e6263d8aa81e

SHA512
50dafb4682a7b939232fda03788df2c7468b0bcc777cb91bc34628d529a93ae81ff4081f67171c96865fe80be09d0fbe438cc01cd5267473edf80d549a35c1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3eU59rb.exe

Filesize
30KB

MD5
b37d14cd53de80da8e09dbce04144c3a

SHA1
3ea89612a5be9715be23195df46d42d4ac2393bb

SHA256
ccb7f4a6e87a5ef30a3c814ab4c3db456bbddba8599363205f10e4086ee2fd8c

SHA512
da1321527200db70c9f8e29d30b56d3fa5496de9f373716b1a5d4c3afcaf66418efd246dcfba9a9b8bd599b541e9b9ebfeaa6a9fd8a962865026d9f407be4d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\In6AX00.exe

Filesize
525KB

MD5
8ab913cd17013811739bc097603445cb

SHA1
22912bcc7381043546852855e95d0f4f38497293

SHA256
e66ed5a6933023063c381bcfabcebb8bf76a7e996a329477de6742209e1af291

SHA512
b5a419b53b1bc7f8d61bef0ae0415e356b647208b3a3d25e06b103885ae073558fb205407fcc9e38cef2148b2be8047750dec97ee836be789437e98ca7638caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pQ78ST5.exe

Filesize
878KB

MD5
9489b609e0a08e64019d65a0d382c550

SHA1
1f3d23bfd30faabccdc238a4af4e5c5bc69314a3

SHA256
c5b92358c3c05791c95917eb70d9fd3237d04049217cbea1a34bb3bd23ac1697

SHA512
12479d3b2d9c365216426ff840f457e1dfce30dc53e3395f2d0fedf6bace1096fdc44ed3270820335df141dee686eb241c606952b4a9b392cfa59a7d45c42e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vH3769.exe

Filesize
1.1MB

MD5
b1ae64c6acaf51c622ba1fb096fc194c

SHA1
0cb0e620a31965da93ce01a7fb4cacbf6827843f

SHA256
d5c4ccf9a7ada40adfcb554052654ee8c83ce6083ff676b1b5c7a66d15e2317a

SHA512
ad54ec80a5d695a8e1da70d7b863b349c6dfd117b67ffb33fd74c7897a93f16a4f9add246daaeedd41b0fa132a4b66b09c8c5ef605735372f5885880bafe21d4

Download Submit
memory/1408-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2988-59-0x0000000007360000-0x00000000073F2000-memory.dmp

Filesize
584KB

Download
memory/2988-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-58-0x0000000007870000-0x0000000007E14000-memory.dmp

Filesize
5.6MB

Download
memory/2988-60-0x0000000002710000-0x000000000271A000-memory.dmp

Filesize
40KB

Download
memory/2988-71-0x0000000008440000-0x0000000008A58000-memory.dmp

Filesize
6.1MB

Download
memory/2988-72-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/2988-73-0x0000000007340000-0x0000000007352000-memory.dmp

Filesize
72KB

Download
memory/2988-74-0x0000000007570000-0x00000000075AC000-memory.dmp

Filesize
240KB

Download
memory/2988-75-0x00000000075B0000-0x00000000075FC000-memory.dmp

Filesize
304KB

Download
memory/4532-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5032-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download