amadey | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe
Size

994KB
MD5

377ed6988bf4050b701fbc6118cc19ec
SHA1

6516efa34a64861d3dbc1b0b9db4f42d081c2528
SHA256

fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90
SHA512

771c517f4b754cc1fdac4add8ef40494d0ceef69f6b7fe667089b0e09dbc1930283c4100ae9e4f8a5f29b026d250e01b72357e55e41d0dfed6563a772cdfa4d4
SSDEEP

24576:1yXMmjNjnmtJOONx7MOH2onMMm/QD58kE3h:QXMsNjnS4Y7TWkMMm/Iy/3

Score

10^/10

amadey healer mystic redline 04d170 daf753 gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

Botnet

04d170

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

http://77.91.68.78

Attributes

install_dir
cb378487cf
install_file
legota.exe
strings_key
f3785cbeef2013b6724eed349fd316ba
url_paths
/help/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral21/memory/1812-40-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral21/memory/1812-42-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral21/memory/1812-43-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral21/files/0x000800000002327e-32.dat	healer
behavioral21/memory/3324-35-0x0000000000B80000-0x0000000000B8A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q1529595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q1529595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q1529595.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q1529595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q1529595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q1529595.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral21/memory/1128-47-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	t7944559.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	u9928137.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 16 IoCs

pid	Process
3804	z1101304.exe
4004	z5749368.exe
4008	z7803993.exe
1460	z3509958.exe
3324	q1529595.exe
3828	r7148277.exe
1996	s6222964.exe
708	t7944559.exe
4700	explothe.exe
1376	u9928137.exe
2372	legota.exe
5012	w2149483.exe
4212	explothe.exe
1612	legota.exe
4848	explothe.exe
2080	legota.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q1529595.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1101304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5749368.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7803993.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z3509958.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3828 set thread context of 1812	3828	r7148277.exe	100
PID 1996 set thread context of 1128	1996	s6222964.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4616	3828	WerFault.exe	98
608	1996	WerFault.exe	104

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3052	schtasks.exe
844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3324	q1529595.exe
3324	q1529595.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3324	q1529595.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 3804	2772	fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe	91
PID 2772 wrote to memory of 3804	2772	fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe	91
PID 2772 wrote to memory of 3804	2772	fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe	91
PID 3804 wrote to memory of 4004	3804	z1101304.exe	92
PID 3804 wrote to memory of 4004	3804	z1101304.exe	92
PID 3804 wrote to memory of 4004	3804	z1101304.exe	92
PID 4004 wrote to memory of 4008	4004	z5749368.exe	93
PID 4004 wrote to memory of 4008	4004	z5749368.exe	93
PID 4004 wrote to memory of 4008	4004	z5749368.exe	93
PID 4008 wrote to memory of 1460	4008	z7803993.exe	94
PID 4008 wrote to memory of 1460	4008	z7803993.exe	94
PID 4008 wrote to memory of 1460	4008	z7803993.exe	94
PID 1460 wrote to memory of 3324	1460	z3509958.exe	95
PID 1460 wrote to memory of 3324	1460	z3509958.exe	95
PID 1460 wrote to memory of 3828	1460	z3509958.exe	98
PID 1460 wrote to memory of 3828	1460	z3509958.exe	98
PID 1460 wrote to memory of 3828	1460	z3509958.exe	98
PID 3828 wrote to memory of 1812	3828	r7148277.exe	100
PID 3828 wrote to memory of 1812	3828	r7148277.exe	100
PID 3828 wrote to memory of 1812	3828	r7148277.exe	100
PID 3828 wrote to memory of 1812	3828	r7148277.exe	100
PID 3828 wrote to memory of 1812	3828	r7148277.exe	100
PID 3828 wrote to memory of 1812	3828	r7148277.exe	100
PID 3828 wrote to memory of 1812	3828	r7148277.exe	100
PID 3828 wrote to memory of 1812	3828	r7148277.exe	100
PID 3828 wrote to memory of 1812	3828	r7148277.exe	100
PID 3828 wrote to memory of 1812	3828	r7148277.exe	100
PID 4008 wrote to memory of 1996	4008	z7803993.exe	104
PID 4008 wrote to memory of 1996	4008	z7803993.exe	104
PID 4008 wrote to memory of 1996	4008	z7803993.exe	104
PID 1996 wrote to memory of 1128	1996	s6222964.exe	106
PID 1996 wrote to memory of 1128	1996	s6222964.exe	106
PID 1996 wrote to memory of 1128	1996	s6222964.exe	106
PID 1996 wrote to memory of 1128	1996	s6222964.exe	106
PID 1996 wrote to memory of 1128	1996	s6222964.exe	106
PID 1996 wrote to memory of 1128	1996	s6222964.exe	106
PID 1996 wrote to memory of 1128	1996	s6222964.exe	106
PID 1996 wrote to memory of 1128	1996	s6222964.exe	106
PID 4004 wrote to memory of 708	4004	z5749368.exe	109
PID 4004 wrote to memory of 708	4004	z5749368.exe	109
PID 4004 wrote to memory of 708	4004	z5749368.exe	109
PID 708 wrote to memory of 4700	708	t7944559.exe	110
PID 708 wrote to memory of 4700	708	t7944559.exe	110
PID 708 wrote to memory of 4700	708	t7944559.exe	110
PID 3804 wrote to memory of 1376	3804	z1101304.exe	111
PID 3804 wrote to memory of 1376	3804	z1101304.exe	111
PID 3804 wrote to memory of 1376	3804	z1101304.exe	111
PID 4700 wrote to memory of 3052	4700	explothe.exe	112
PID 4700 wrote to memory of 3052	4700	explothe.exe	112
PID 4700 wrote to memory of 3052	4700	explothe.exe	112
PID 1376 wrote to memory of 2372	1376	u9928137.exe	114
PID 1376 wrote to memory of 2372	1376	u9928137.exe	114
PID 1376 wrote to memory of 2372	1376	u9928137.exe	114
PID 4700 wrote to memory of 3668	4700	explothe.exe	115
PID 4700 wrote to memory of 3668	4700	explothe.exe	115
PID 4700 wrote to memory of 3668	4700	explothe.exe	115
PID 2372 wrote to memory of 844	2372	legota.exe	117
PID 2372 wrote to memory of 844	2372	legota.exe	117
PID 2372 wrote to memory of 844	2372	legota.exe	117
PID 2372 wrote to memory of 3912	2372	legota.exe	118
PID 2372 wrote to memory of 3912	2372	legota.exe	118
PID 2372 wrote to memory of 3912	2372	legota.exe	118
PID 3668 wrote to memory of 3980	3668	cmd.exe	121
PID 3668 wrote to memory of 3980	3668	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe
"C:\Users\Admin\AppData\Local\Temp\fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 140
        7⤵
        Program crash
        
        PID:4616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6222964.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6222964.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 588
        6⤵
        Program crash
        
        PID:608
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7944559.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7944559.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:708
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4700
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3052
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:2248
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9928137.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9928137.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:3912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4392
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:4400
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:3516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3732
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:3792
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:2488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2149483.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2149483.exe
  2⤵
  - Executes dropped EXE
  PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3828 -ip 3828
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1996 -ip 1996
1⤵
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4116 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2149483.exe

Filesize
23KB

MD5
5f743f5d6f83702752d94a3235908fec

SHA1
b8b723c7a71753d4ccd95123283e39efe3cae202

SHA256
bcf59b82c856523563a7323cd9d08614743355066615c94cc6d8f91fe3bf7634

SHA512
59e7a97eb293b5f52ed04d3bfc7a2dd3833c4676573d2e599fb44bedace2adb7da516a4e86b3fbf373b415129c49553fcdf236eac3c77c22648f4df1f9d14d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe

Filesize
892KB

MD5
0f6fb44ed64d409e7b22681d6eccf35a

SHA1
cddf8832797d0b86899200dc78e8b3bd628cb824

SHA256
ea0ee31c7040738ad083db91f618126aaa7d8aec67197d94e68ffa6ae6b40689

SHA512
46eb171de3ef09f49bc52ccec01dbd0491d6dc55e2e83bbcbf034ab5a61ae657cee348258f77f77d05f66fc5b7901a10717a88daf4705c217303dafb0ad93b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9928137.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe

Filesize
709KB

MD5
24ecc57390242b77f453882f38f388b6

SHA1
3bdfa84d6aeaf6b4ebb3425504765acf67b424e8

SHA256
6cc87071e2158312085c87c31b8272178f5e2c27da57b755fb2c7e05fc6daf1a

SHA512
7c1ba2c26cbf70f12afdfa505d12a66d33a0631c1e2aa99849636952641c30193bd3c7005d3989d623d476661fc48f3b69d87384dcf6d0e76926fd457b1ebc0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7944559.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe

Filesize
527KB

MD5
6b2d990dc07cf8c2e172d03474b23404

SHA1
73ccd488cf1b5466f62bf3c27e131ed3bc902cb3

SHA256
c87129f6e0a615abd35be86ef6cdcd066865311e5802d20d264c6db19a50dc4d

SHA512
d845b76f67d715da8d80ce20dc4ff38600c6c31667aa1cc4a14589e155edd728b6e11ded4c7c5f3585a0ce5628d171d41abf4632bf87e54a4183c2d7d6c35f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6222964.exe

Filesize
310KB

MD5
861e8d2170e82fecd19492b63bbd5fa6

SHA1
84d9dbbaf992ff23c31dac2165ef39ca3eadf8db

SHA256
47859ee9e62478aab82cea2f583dc924fddadf52bbe9f17eb068a24928fd0d60

SHA512
798a5fb3d5cebd7fa9336c4d4027f00862a2adab24924e65024f4898a4e423dfcced124ce556ea823f9079ac9ba0fcc0c6b1ca29c98884c764626bfefaa2e29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe

Filesize
296KB

MD5
895409a60865c8ae2567dd6f6c08ed57

SHA1
bbc2fa3424e906ff91c494ef9e52aceec99f8cfa

SHA256
08c84a534fb485e46eacd8061ba866d4dc2aba36d34f70a33c842818cdee8ee5

SHA512
d127d51044d283f49850f86cb52910c7bc6c776ecc5e9654dccbc05151c6e7fc109ac4e3f60a7d843fb9fd94d448692b6a49a841bac5b6fbf8bd85b8dd0b779e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe

Filesize
11KB

MD5
417bf355ff406c10fd30628dc9629590

SHA1
2679d7839e4e361ea016e99e453b981002dc2d71

SHA256
9eea16179fbb0add20846370c57fc4973b3f6726983712d8314df208527b6b9b

SHA512
da8d590bb3a786087512aa99ed2e081aac67780b6b5e14a03e13dee3a2f59f23c8b21617b9ce961bfed5644626b433fbd8ceb4965a1e5e796113c1a8473bf966

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe

Filesize
276KB

MD5
4186d77c96511ae22ef295132a469f08

SHA1
da0498d6bc8ae72ba77910879523e47875e6a9bf

SHA256
28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa

SHA512
e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8

Download Submit
memory/1128-73-0x000000000B070000-0x000000000B688000-memory.dmp

Filesize
6.1MB

Download
memory/1128-47-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1128-53-0x0000000005540000-0x0000000005546000-memory.dmp

Filesize
24KB

Download
memory/1128-77-0x000000000ABD0000-0x000000000ACDA000-memory.dmp

Filesize
1.0MB

Download
memory/1128-78-0x000000000AB00000-0x000000000AB12000-memory.dmp

Filesize
72KB

Download
memory/1128-79-0x000000000AB60000-0x000000000AB9C000-memory.dmp

Filesize
240KB

Download
memory/1128-80-0x000000000ACE0000-0x000000000AD2C000-memory.dmp

Filesize
304KB

Download
memory/1812-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1812-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1812-40-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3324-35-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download