amadey | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025.exe
Size

1.4MB
MD5

ce3a43f12f3f536a897ffe527cd1f10f
SHA1

8a4763f0a032b5c70846ba3c7da378a3482eac12
SHA256

65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025
SHA512

c3aad6a4a86b79b167a3989eb8d4cc6f75df354b805f8c160f8cb5dbe812144daf5d7bd07c36d3e12767adc8f8f554cfd4846599fe5f9524b9eb3e79fb407a1e
SSDEEP

24576:oyW34oUUWqSF+Ww//7tpefhOrb44GWpd0a0SJtD6K5SadD3F9G:vjjZoWw/ztUJ4E4GWz0hSKKtD3b

Score

10^/10

amadey healer mystic redline daf753 fb0fb8 trush dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

http://77.91.68.78

Attributes

install_dir
cb378487cf
install_file
legota.exe
strings_key
f3785cbeef2013b6724eed349fd316ba
url_paths
/help/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral14/memory/868-45-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family
behavioral14/memory/868-48-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family
behavioral14/memory/868-46-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral14/memory/2756-76-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral14/memory/4244-35-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

t1573445.exelegota.exes6542297.exeexplonde.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	t1573445.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	s6542297.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 18 IoCs

Processes:

z3137575.exez1578254.exez0115334.exez4816729.exeq6620270.exer1227680.exes6542297.exeexplonde.exet1573445.exelegota.exeu6904932.exew0473678.exeexplonde.exelegota.exeexplonde.exelegota.exeexplonde.exelegota.exe

pid	process
1392	z3137575.exe
2924	z1578254.exe
1436	z0115334.exe
1028	z4816729.exe
4784	q6620270.exe
1648	r1227680.exe
8	s6542297.exe
1020	explonde.exe
4888	t1573445.exe
4228	legota.exe
1004	u6904932.exe
4264	w0473678.exe
2816	explonde.exe
1436	legota.exe
4904	explonde.exe
2656	legota.exe
1332	explonde.exe
876	legota.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z0115334.exez4816729.exe65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025.exez3137575.exez1578254.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0115334.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4816729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3137575.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1578254.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q6620270.exer1227680.exeu6904932.exe

description	pid	process	target process
PID 4784 set thread context of 4244	4784	q6620270.exe	AppLaunch.exe
PID 1648 set thread context of 868	1648	r1227680.exe	AppLaunch.exe
PID 1004 set thread context of 2756	1004	u6904932.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3280 4784 WerFault.exe q6620270.exe
5056 1648 WerFault.exe r1227680.exe
4136 1004 WerFault.exe u6904932.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1748 schtasks.exe
436 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2756 AppLaunch.exe
2756 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2756 AppLaunch.exe

pid	pid_target	process	target process
3280	4784	WerFault.exe	q6620270.exe
5056	1648	WerFault.exe	r1227680.exe
4136	1004	WerFault.exe	u6904932.exe

pid	process
1748	schtasks.exe
436	schtasks.exe

pid	process
2756	AppLaunch.exe
2756	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2756	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025.exez3137575.exez1578254.exez0115334.exez4816729.exeq6620270.exer1227680.exes6542297.exeexplonde.exet1573445.execmd.exe

description	pid	process	target process
PID 2272 wrote to memory of 1392	2272	65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025.exe	z3137575.exe
PID 2272 wrote to memory of 1392	2272	65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025.exe	z3137575.exe
PID 2272 wrote to memory of 1392	2272	65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025.exe	z3137575.exe
PID 1392 wrote to memory of 2924	1392	z3137575.exe	z1578254.exe
PID 1392 wrote to memory of 2924	1392	z3137575.exe	z1578254.exe
PID 1392 wrote to memory of 2924	1392	z3137575.exe	z1578254.exe
PID 2924 wrote to memory of 1436	2924	z1578254.exe	z0115334.exe
PID 2924 wrote to memory of 1436	2924	z1578254.exe	z0115334.exe
PID 2924 wrote to memory of 1436	2924	z1578254.exe	z0115334.exe
PID 1436 wrote to memory of 1028	1436	z0115334.exe	z4816729.exe
PID 1436 wrote to memory of 1028	1436	z0115334.exe	z4816729.exe
PID 1436 wrote to memory of 1028	1436	z0115334.exe	z4816729.exe
PID 1028 wrote to memory of 4784	1028	z4816729.exe	q6620270.exe
PID 1028 wrote to memory of 4784	1028	z4816729.exe	q6620270.exe
PID 1028 wrote to memory of 4784	1028	z4816729.exe	q6620270.exe
PID 4784 wrote to memory of 2344	4784	q6620270.exe	AppLaunch.exe
PID 4784 wrote to memory of 2344	4784	q6620270.exe	AppLaunch.exe
PID 4784 wrote to memory of 2344	4784	q6620270.exe	AppLaunch.exe
PID 4784 wrote to memory of 4244	4784	q6620270.exe	AppLaunch.exe
PID 4784 wrote to memory of 4244	4784	q6620270.exe	AppLaunch.exe
PID 4784 wrote to memory of 4244	4784	q6620270.exe	AppLaunch.exe
PID 4784 wrote to memory of 4244	4784	q6620270.exe	AppLaunch.exe
PID 4784 wrote to memory of 4244	4784	q6620270.exe	AppLaunch.exe
PID 4784 wrote to memory of 4244	4784	q6620270.exe	AppLaunch.exe
PID 4784 wrote to memory of 4244	4784	q6620270.exe	AppLaunch.exe
PID 4784 wrote to memory of 4244	4784	q6620270.exe	AppLaunch.exe
PID 1028 wrote to memory of 1648	1028	z4816729.exe	r1227680.exe
PID 1028 wrote to memory of 1648	1028	z4816729.exe	r1227680.exe
PID 1028 wrote to memory of 1648	1028	z4816729.exe	r1227680.exe
PID 1648 wrote to memory of 868	1648	r1227680.exe	AppLaunch.exe
PID 1648 wrote to memory of 868	1648	r1227680.exe	AppLaunch.exe
PID 1648 wrote to memory of 868	1648	r1227680.exe	AppLaunch.exe
PID 1648 wrote to memory of 868	1648	r1227680.exe	AppLaunch.exe
PID 1648 wrote to memory of 868	1648	r1227680.exe	AppLaunch.exe
PID 1648 wrote to memory of 868	1648	r1227680.exe	AppLaunch.exe
PID 1648 wrote to memory of 868	1648	r1227680.exe	AppLaunch.exe
PID 1648 wrote to memory of 868	1648	r1227680.exe	AppLaunch.exe
PID 1648 wrote to memory of 868	1648	r1227680.exe	AppLaunch.exe
PID 1648 wrote to memory of 868	1648	r1227680.exe	AppLaunch.exe
PID 1436 wrote to memory of 8	1436	z0115334.exe	s6542297.exe
PID 1436 wrote to memory of 8	1436	z0115334.exe	s6542297.exe
PID 1436 wrote to memory of 8	1436	z0115334.exe	s6542297.exe
PID 8 wrote to memory of 1020	8	s6542297.exe	explonde.exe
PID 8 wrote to memory of 1020	8	s6542297.exe	explonde.exe
PID 8 wrote to memory of 1020	8	s6542297.exe	explonde.exe
PID 2924 wrote to memory of 4888	2924	z1578254.exe	t1573445.exe
PID 2924 wrote to memory of 4888	2924	z1578254.exe	t1573445.exe
PID 2924 wrote to memory of 4888	2924	z1578254.exe	t1573445.exe
PID 1020 wrote to memory of 1748	1020	explonde.exe	schtasks.exe
PID 1020 wrote to memory of 1748	1020	explonde.exe	schtasks.exe
PID 1020 wrote to memory of 1748	1020	explonde.exe	schtasks.exe
PID 1020 wrote to memory of 5000	1020	explonde.exe	cmd.exe
PID 1020 wrote to memory of 5000	1020	explonde.exe	cmd.exe
PID 1020 wrote to memory of 5000	1020	explonde.exe	cmd.exe
PID 4888 wrote to memory of 4228	4888	t1573445.exe	legota.exe
PID 4888 wrote to memory of 4228	4888	t1573445.exe	legota.exe
PID 4888 wrote to memory of 4228	4888	t1573445.exe	legota.exe
PID 5000 wrote to memory of 4776	5000	cmd.exe	cmd.exe
PID 5000 wrote to memory of 4776	5000	cmd.exe	cmd.exe
PID 5000 wrote to memory of 4776	5000	cmd.exe	cmd.exe
PID 1392 wrote to memory of 1004	1392	z3137575.exe	u6904932.exe
PID 1392 wrote to memory of 1004	1392	z3137575.exe	u6904932.exe
PID 1392 wrote to memory of 1004	1392	z3137575.exe	u6904932.exe
PID 5000 wrote to memory of 4316	5000	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025.exe
"C:\Users\Admin\AppData\Local\Temp\65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3137575.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3137575.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1578254.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1578254.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0115334.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0115334.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4816729.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4816729.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6620270.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6620270.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 136
7⤵
- Program crash
PID:3280

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1227680.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1227680.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 136
7⤵
- Program crash
PID:5056

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6542297.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6542297.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
7⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
7⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:4776

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
8⤵
PID:4316

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
8⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:4976

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
8⤵
PID:1932

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
8⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1573445.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1573445.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4228

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
6⤵
- Creates scheduled task(s)
PID:436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
6⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3360

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
7⤵
PID:3752

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
7⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:5116

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
7⤵
PID:3032

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
7⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6904932.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6904932.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 580
4⤵
- Program crash
PID:4136

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0473678.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0473678.exe
2⤵
- Executes dropped EXE
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4784 -ip 4784
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1648 -ip 1648
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1004 -ip 1004
1⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0473678.exe

Filesize
16KB

MD5
d92fa7776f15463793be51e719c83f68

SHA1
2555f7fa8bf1cc9e0c1c1ad33c601494300be0bf

SHA256
d3aa6169ac6095b3449e38312fa7d6370be801578203664afbd6e1fe7f5920ea

SHA512
4ad669b6476b4aa407dbb17e11c9510ee423615827d57cff284e1466e1485f21e248e17b7c8964c177b5a5bee52f429d98f3e69f5b858046744163a4bc0e85ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3137575.exe

Filesize
1.3MB

MD5
2ad617131c213e200e2702670f791e01

SHA1
f2fe46e73ec5971d2be77c517f9f601f1dfc8285

SHA256
25f79b9c46c21d15073213e9ac6cbed8a514a78172260dcddaa0205c2e1e439f

SHA512
dde89670d709efc4dee98ea1c5c89b0c7e24f886029fd1e099581b48e6fd29333e5cb8053e4b08cf4b579525d5c014322f36a4f721dcc6a0861e0d6350f0d18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6904932.exe

Filesize
899KB

MD5
ecce04cc36e369dacb2c47ec61cc8f6f

SHA1
00ba309feb924b49480bb92043210b96703e472f

SHA256
2b8f055d16908dc12ba1297cf1d9dffd67f83361b42a7cfbe94828a62700024c

SHA512
420c4183e26bd960373162083d55b8353c7de20e6d275c59aa40f23caa0eb09a5bd90c5587589ee1505d540170363b9848bb28c24d0d230b9f823cc084157ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1578254.exe

Filesize
953KB

MD5
0ffe1efe1178156987b2b1791c2d9ed5

SHA1
7fed902f3dafd238e5c07c81eecf9eaa58cfcdd6

SHA256
5be3f41746c8ec1f8fcf72582efaac7e2cc74d3994a921f9620193232b7daa7b

SHA512
167c362c8c9d3e82959e51d75ec252f0a79cd69074c413ab886b1b465614735ea91420bf7ab4b397b58cc34e0b81b0fe3979080cd448768d0937190569ee6b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1573445.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0115334.exe

Filesize
770KB

MD5
ab0cc7eae4bcdaf2e4cf69afa2f3a789

SHA1
b2a32752078889059070402a13dcb70f1a1f3e73

SHA256
ca78b67ef330ed5afa3826df1b1a3093aabe2a84afd67fe4f0e8b2c034a568e0

SHA512
29ae1b6e54a16d7c9a17b6ce1fab196539982b10b4d72f60cccdbdc205d2c746adb014203dedbce3cc1d140f9f6bd0a48f162f3ac0f7851a2bb64e687e6ccc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6542297.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4816729.exe

Filesize
588KB

MD5
c0e09a2958d5b65b3407a6be52b9edfd

SHA1
ada6052e58e02a571f64a743207c1f8f9723a845

SHA256
0264ec5c2987722ca504aa806e49f36fdaabd89c3a7f83c8c320b3ea68acb94b

SHA512
3bea72e15d88d188d3ecd84ef76198a63853694e07da0af4ae28dad2b0d0d5c3f544b237167dc24733917d4008c103cfe180de8c7dda5e45b4b5bd6190802d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6620270.exe

Filesize
1.1MB

MD5
df878f89693a6048a75ff937c1b4e1fb

SHA1
34ace115718b691b23a404b0527b09d1e0541827

SHA256
8c00a28605afd0c619a54455423f35a269f29c74269e08ca31bb85e0e56937fd

SHA512
07ad11c3f1825592e5d7101bc8aa8d6e1eb60d2ba7d9bcff47fd5f32ee6a1e15875329cc1d14ed0de52f42f71c37e22fdaf18e5152c0955273f3da0efb3f5bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1227680.exe

Filesize
1.1MB

MD5
6f7931901c67fb70b624c270413f6fd0

SHA1
f572554c35f6e575e3471ff2adc5653c461eb9d2

SHA256
b81595ce8fbb2fc86fad8323369473d011d92551c5d3ce5d24d276d88fc48f46

SHA512
6adda936fb708bb40dd3c6d68f55704956fdbdd31fd11d2b2fbeb2cdcd1b25389e2471982bc993d8e667801a919f3c8ebb4878288919f0695d782f488a494ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
192KB

MD5
d5d5852dc930eb859d49e7b375dd01d5

SHA1
409e8b71a6376306d577b42b210a191640b29ecc

SHA256
87f356f613cfb94a472cd1e67919262706912db1961a2eadebdebc2f0594525f

SHA512
012d6c3093a295dd642c325e7db7d3ccd3f780d494f502dd33595fd1bda2ae3772232a094470d75f330f91a2ea31d57d1615fe2707535bf587a2d8b6693ef60e

Download Submit
memory/868-46-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-76-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4244-35-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4244-44-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

Filesize
304KB

Download
memory/4244-42-0x0000000005A50000-0x0000000005A8C000-memory.dmp

Filesize
240KB

Download
memory/4244-41-0x00000000059F0000-0x0000000005A02000-memory.dmp

Filesize
72KB

Download
memory/4244-40-0x0000000005AD0000-0x0000000005BDA000-memory.dmp

Filesize
1.0MB

Download
memory/4244-37-0x0000000005FE0000-0x00000000065F8000-memory.dmp

Filesize
6.1MB

Download
memory/4244-36-0x0000000005980000-0x0000000005986000-memory.dmp

Filesize
24KB

Download