amadey | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855.exe
Size

1.3MB
MD5

7529bdfa5dbc18c1f73f6606e98b4e9b
SHA1

a1523edacc0dc68672d5b912f6f8b41b2001efd1
SHA256

bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855
SHA512

3efa3ad436d23115d1affb20d5d73700bae8279dc173bfa33fbf59a18486592d8eac38308409ea061f4715c273511ebb1975297f32d7e889a2582adcda11557b
SSDEEP

24576:aysk1sNnbCUxNG+VA/YgX/4vmG5BvPTDS63rPUEQ/WLcJP:hsk1sNbPxNHy/YC5UvPHBrJQ/M

Score

10^/10

amadey healer mystic redline daf753 fb0fb8 trush dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

http://77.91.68.78

Attributes

install_dir
cb378487cf
install_file
legota.exe
strings_key
f3785cbeef2013b6724eed349fd316ba
url_paths
/help/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral10/memory/4460-38-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family
behavioral10/memory/4460-36-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family
behavioral10/memory/4460-35-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral10/memory/4676-76-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral10/memory/4540-42-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s8052440.exeexplonde.exet5993025.exelegota.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	s8052440.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	t5993025.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 16 IoCs

Processes:

z4434292.exez8224704.exez9693896.exez9260949.exeq2715406.exer7392010.exes8052440.exeexplonde.exet5993025.exelegota.exeu2859580.exew6588431.exeexplonde.exelegota.exeexplonde.exelegota.exe

pid	process
2012	z4434292.exe
4068	z8224704.exe
1776	z9693896.exe
3136	z9260949.exe
4792	q2715406.exe
5048	r7392010.exe
2820	s8052440.exe
1644	explonde.exe
1700	t5993025.exe
3700	legota.exe
2352	u2859580.exe
1100	w6588431.exe
1232	explonde.exe
4668	legota.exe
1028	explonde.exe
4580	legota.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855.exez4434292.exez8224704.exez9693896.exez9260949.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4434292.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8224704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9693896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9260949.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q2715406.exer7392010.exeu2859580.exe

description	pid	process	target process
PID 4792 set thread context of 4460	4792	q2715406.exe	AppLaunch.exe
PID 5048 set thread context of 4540	5048	r7392010.exe	AppLaunch.exe
PID 2352 set thread context of 4676	2352	u2859580.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2464 4792 WerFault.exe q2715406.exe
4688 5048 WerFault.exe r7392010.exe
3996 2352 WerFault.exe u2859580.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3152 schtasks.exe
4560 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

4676 AppLaunch.exe
4676 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 4676 AppLaunch.exe

pid	pid_target	process	target process
2464	4792	WerFault.exe	q2715406.exe
4688	5048	WerFault.exe	r7392010.exe
3996	2352	WerFault.exe	u2859580.exe

pid	process
3152	schtasks.exe
4560	schtasks.exe

pid	process
4676	AppLaunch.exe
4676	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4676	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855.exez4434292.exez8224704.exez9693896.exez9260949.exeq2715406.exer7392010.exes8052440.exeexplonde.exet5993025.execmd.exe

description	pid	process	target process
PID 1420 wrote to memory of 2012	1420	bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855.exe	z4434292.exe
PID 1420 wrote to memory of 2012	1420	bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855.exe	z4434292.exe
PID 1420 wrote to memory of 2012	1420	bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855.exe	z4434292.exe
PID 2012 wrote to memory of 4068	2012	z4434292.exe	z8224704.exe
PID 2012 wrote to memory of 4068	2012	z4434292.exe	z8224704.exe
PID 2012 wrote to memory of 4068	2012	z4434292.exe	z8224704.exe
PID 4068 wrote to memory of 1776	4068	z8224704.exe	z9693896.exe
PID 4068 wrote to memory of 1776	4068	z8224704.exe	z9693896.exe
PID 4068 wrote to memory of 1776	4068	z8224704.exe	z9693896.exe
PID 1776 wrote to memory of 3136	1776	z9693896.exe	z9260949.exe
PID 1776 wrote to memory of 3136	1776	z9693896.exe	z9260949.exe
PID 1776 wrote to memory of 3136	1776	z9693896.exe	z9260949.exe
PID 3136 wrote to memory of 4792	3136	z9260949.exe	q2715406.exe
PID 3136 wrote to memory of 4792	3136	z9260949.exe	q2715406.exe
PID 3136 wrote to memory of 4792	3136	z9260949.exe	q2715406.exe
PID 4792 wrote to memory of 4460	4792	q2715406.exe	AppLaunch.exe
PID 4792 wrote to memory of 4460	4792	q2715406.exe	AppLaunch.exe
PID 4792 wrote to memory of 4460	4792	q2715406.exe	AppLaunch.exe
PID 4792 wrote to memory of 4460	4792	q2715406.exe	AppLaunch.exe
PID 4792 wrote to memory of 4460	4792	q2715406.exe	AppLaunch.exe
PID 4792 wrote to memory of 4460	4792	q2715406.exe	AppLaunch.exe
PID 4792 wrote to memory of 4460	4792	q2715406.exe	AppLaunch.exe
PID 4792 wrote to memory of 4460	4792	q2715406.exe	AppLaunch.exe
PID 4792 wrote to memory of 4460	4792	q2715406.exe	AppLaunch.exe
PID 4792 wrote to memory of 4460	4792	q2715406.exe	AppLaunch.exe
PID 3136 wrote to memory of 5048	3136	z9260949.exe	r7392010.exe
PID 3136 wrote to memory of 5048	3136	z9260949.exe	r7392010.exe
PID 3136 wrote to memory of 5048	3136	z9260949.exe	r7392010.exe
PID 5048 wrote to memory of 3332	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 3332	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 3332	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 448	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 448	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 448	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 4540	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 4540	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 4540	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 4540	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 4540	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 4540	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 4540	5048	r7392010.exe	AppLaunch.exe
PID 5048 wrote to memory of 4540	5048	r7392010.exe	AppLaunch.exe
PID 1776 wrote to memory of 2820	1776	z9693896.exe	s8052440.exe
PID 1776 wrote to memory of 2820	1776	z9693896.exe	s8052440.exe
PID 1776 wrote to memory of 2820	1776	z9693896.exe	s8052440.exe
PID 2820 wrote to memory of 1644	2820	s8052440.exe	explonde.exe
PID 2820 wrote to memory of 1644	2820	s8052440.exe	explonde.exe
PID 2820 wrote to memory of 1644	2820	s8052440.exe	explonde.exe
PID 4068 wrote to memory of 1700	4068	z8224704.exe	t5993025.exe
PID 4068 wrote to memory of 1700	4068	z8224704.exe	t5993025.exe
PID 4068 wrote to memory of 1700	4068	z8224704.exe	t5993025.exe
PID 1644 wrote to memory of 3152	1644	explonde.exe	schtasks.exe
PID 1644 wrote to memory of 3152	1644	explonde.exe	schtasks.exe
PID 1644 wrote to memory of 3152	1644	explonde.exe	schtasks.exe
PID 1644 wrote to memory of 1496	1644	explonde.exe	cmd.exe
PID 1644 wrote to memory of 1496	1644	explonde.exe	cmd.exe
PID 1644 wrote to memory of 1496	1644	explonde.exe	cmd.exe
PID 1700 wrote to memory of 3700	1700	t5993025.exe	legota.exe
PID 1700 wrote to memory of 3700	1700	t5993025.exe	legota.exe
PID 1700 wrote to memory of 3700	1700	t5993025.exe	legota.exe
PID 1496 wrote to memory of 4268	1496	cmd.exe	cmd.exe
PID 1496 wrote to memory of 4268	1496	cmd.exe	cmd.exe
PID 1496 wrote to memory of 4268	1496	cmd.exe	cmd.exe
PID 2012 wrote to memory of 2352	2012	z4434292.exe	u2859580.exe

C:\Users\Admin\AppData\Local\Temp\bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855.exe
"C:\Users\Admin\AppData\Local\Temp\bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4434292.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4434292.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8224704.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8224704.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9693896.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9693896.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9260949.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9260949.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3136
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2715406.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2715406.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 156
        7⤵
        Program crash
        
        PID:2464
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7392010.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7392010.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 568
        7⤵
        Program crash
        
        PID:4688
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8052440.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8052440.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        8⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        8⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        8⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        8⤵
        
        PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5993025.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5993025.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3700
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4560
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        7⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        7⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        7⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        7⤵
        
        PID:4420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2859580.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2859580.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 136
      4⤵
      Program crash
      PID:3996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6588431.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6588431.exe
  2⤵
  - Executes dropped EXE
  PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4792 -ip 4792
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5048 -ip 5048
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2352 -ip 2352
1⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1232

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1028

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6588431.exe

Filesize
17KB

MD5
8d74032230087ca95f59ad912fd13da0

SHA1
b40b094ba995c156e2bb36f6337a63133a21a82e

SHA256
ad5cd2bce6b31853eff91be4d7a93d61f1c399bb74b9a259a49b00fc09346e77

SHA512
f346c712f13708cd329ba8487a175823316f108f9b3cb1bd64c1b522a24bb118dd2508497129352048add45423b242722f791597d2a8662231ffe902d92896dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4434292.exe

Filesize
1.2MB

MD5
c35245433aa0737ec0abe53bade9fabc

SHA1
353e5fc83d0c04448260ab0a5a777cac48a4b4f8

SHA256
45637df89793caff5c97aa461b0840fe64bf78ca076b32b66ed1f98179e7eda7

SHA512
e3ed0562d0848208618a4cc89fefa9bfce832732c440f6f0cac472a0933254ec4e20fe4c71540497fddd17ef37bc0c71ea7bc5eb644cd6f52507d79318e84b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2859580.exe

Filesize
861KB

MD5
c8e6b5a0dcbfea40d9258abc35f44d62

SHA1
04a23d2e6d95167eab063395efdfc0587f93982f

SHA256
81a1a268668faf4d41746eca6fef423e405402d66f7d274a87ec3f9fd2ed5fbd

SHA512
374aea9bf311f66279ad0e3b34e8bd8ce55873d98b6edca5af5063930746758ae1cff42b6e383edfb0059c725a075c7c74ce19bd0cd937555d0c1d5812c8feef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8224704.exe

Filesize
929KB

MD5
04d62a2b6f9db7784b216994dac2f9b3

SHA1
50e543eba1dc4e482c1b47f1b5d759270b88e20e

SHA256
30969f074952eb6b13d551045929cedd2eb5db93a858001c7e998f56814128df

SHA512
17707470a39ed0440e8066792200399dccd424eeb4aa636dcc70f8fcfdab2ebee1a651bee841358c030d5aaaa0f76638acfe7b26ab1a999283a3badf7d2c3754

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5993025.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9693896.exe

Filesize
746KB

MD5
676b3a2e8cbc8ccc86171a173ba9cdbe

SHA1
f9a3710d54cb85517da68724b33bb85fb482a75f

SHA256
14f490f39beaa57dc0395a3841e7547777e2a4707e8d69b15082ec1ac75012db

SHA512
d3ccbc85e8927d871263fd0dc5e7109e9aea7c83bfbd147ebee133e6d39468a3605ad66d10df073dc19c43ad924b800e49250a0591894439350d7e4dcd9f1450

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8052440.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9260949.exe

Filesize
564KB

MD5
e870b09503361c3646b4b0cb39a4ecb0

SHA1
db118e2f1af0c49d43d10bd8d490df07ccde2195

SHA256
b05153494e3b18b6c776aaca50be294a5e32f6a357c1e049aae2bb712d443a20

SHA512
cf1842a7ea63c051c62f309801f4233cdcb5d4b731c85342e901cdc962198fe729106b9bb108a6a5613f11f04f25395eb61ca3717b92e32b86d25e3e5f3c67bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2715406.exe

Filesize
1.0MB

MD5
365c377af634038759c0c86797e404c3

SHA1
0b609acc8fa094ac3f89680711b8caa8b5589623

SHA256
5d22e1d1819740edeeae24d93d70211e7672d2de3228889a673ecdd959e4cc9d

SHA512
2fc9f586cf7fde9ade48e7d90528e458a85568497946c746d88ab827aa101f637320b70ba5f6d645f1b36fbfc06119db3b2ac09a13ea97e9f98b9f0b0bebac47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7392010.exe

Filesize
1.0MB

MD5
dc0ec4b1d3a518bb751b9752b2c91e0e

SHA1
bda1f4702e48ddcf3fc1638d9cf6d703a8c4c0ba

SHA256
d2c7805fa3f4dc3ef6275f3e2aa8d94f15d84fa2bf5566f6e5199d047c9ce665

SHA512
3674f290e2c025d72d18b9d070f4c1dc20c30e33d382501cfdcddeda19312f4471247d18b4c4718ccda9054a56add6e608e3a0b407854f6f2b417a570c48552e

Download Submit
memory/4460-38-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4460-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4460-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-43-0x0000000002F70000-0x0000000002F76000-memory.dmp

Filesize
24KB

Download
memory/4540-50-0x000000000AA90000-0x000000000AB9A000-memory.dmp

Filesize
1.0MB

Download
memory/4540-42-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4540-62-0x0000000002EB0000-0x0000000002EFC000-memory.dmp

Filesize
304KB

Download
memory/4540-59-0x000000000AA30000-0x000000000AA6C000-memory.dmp

Filesize
240KB

Download
memory/4540-52-0x000000000A9D0000-0x000000000A9E2000-memory.dmp

Filesize
72KB

Download
memory/4540-49-0x000000000AF70000-0x000000000B588000-memory.dmp

Filesize
6.1MB

Download
memory/4676-76-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download