amadey | 5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea.exe
Size

1.8MB
MD5

3c48d87b5cd6967b58c746fc78e70624
SHA1

544da193b8ac757c57059cc657e3f128869c96d0
SHA256

74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea
SHA512

3606e207e8895ed36a387083256d485e997cbf4f4691ae91ae16c1c80cabab505af6b46c521647a69dccec8a0db6fbc62c48ab72f543eb89fb43953ac55cc225
SSDEEP

49152:sB90j4GlIcJysiUv3lWsK8EeCqdTGl8tF:k0EWl91Wsdj4l4F

Score

10^/10

amadey mystic redline smokeloader 04d170 plost backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral11/memory/1360-46-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/1360-50-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/1360-52-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6sG1cY6.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral11/memory/1216-59-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explothe.exe7Ws0jM83.exe5NZ2vi5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	7Ws0jM83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	5NZ2vi5.exe

Executes dropped EXE 15 IoCs

Processes:

Bu4yh37.exeoa2sX98.exeuT9vY09.exean9Gh92.exeyd9LN78.exe1Xx31Yu7.exe2sP0937.exe3kr06uP.exe4Jx421So.exe5NZ2vi5.exeexplothe.exe6sG1cY6.exe7Ws0jM83.exeexplothe.exeexplothe.exe

pid	process
1784	Bu4yh37.exe
1252	oa2sX98.exe
3572	uT9vY09.exe
544	an9Gh92.exe
2128	yd9LN78.exe
5060	1Xx31Yu7.exe
4620	2sP0937.exe
840	3kr06uP.exe
1876	4Jx421So.exe
2328	5NZ2vi5.exe
1604	explothe.exe
4444	6sG1cY6.exe
1840	7Ws0jM83.exe
1880	explothe.exe
1456	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

an9Gh92.exeyd9LN78.exe74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea.exeBu4yh37.exeoa2sX98.exeuT9vY09.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	an9Gh92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	yd9LN78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Bu4yh37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	oa2sX98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	uT9vY09.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1Xx31Yu7.exe2sP0937.exe4Jx421So.exe

description	pid	process	target process
PID 5060 set thread context of 1416	5060	1Xx31Yu7.exe	AppLaunch.exe
PID 4620 set thread context of 1360	4620	2sP0937.exe	AppLaunch.exe
PID 1876 set thread context of 1216	1876	4Jx421So.exe	AppLaunch.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4156 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4156	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3kr06uP.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3kr06uP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3kr06uP.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3kr06uP.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3068 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1416 AppLaunch.exe
1416 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1416 AppLaunch.exe

pid	process
3068	schtasks.exe

pid	process
1416	AppLaunch.exe
1416	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1416	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea.exeBu4yh37.exeoa2sX98.exeuT9vY09.exean9Gh92.exeyd9LN78.exe1Xx31Yu7.exe2sP0937.exe4Jx421So.exe5NZ2vi5.exe

description	pid	process	target process
PID 2144 wrote to memory of 1784	2144	74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea.exe	Bu4yh37.exe
PID 2144 wrote to memory of 1784	2144	74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea.exe	Bu4yh37.exe
PID 2144 wrote to memory of 1784	2144	74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea.exe	Bu4yh37.exe
PID 1784 wrote to memory of 1252	1784	Bu4yh37.exe	oa2sX98.exe
PID 1784 wrote to memory of 1252	1784	Bu4yh37.exe	oa2sX98.exe
PID 1784 wrote to memory of 1252	1784	Bu4yh37.exe	oa2sX98.exe
PID 1252 wrote to memory of 3572	1252	oa2sX98.exe	uT9vY09.exe
PID 1252 wrote to memory of 3572	1252	oa2sX98.exe	uT9vY09.exe
PID 1252 wrote to memory of 3572	1252	oa2sX98.exe	uT9vY09.exe
PID 3572 wrote to memory of 544	3572	uT9vY09.exe	an9Gh92.exe
PID 3572 wrote to memory of 544	3572	uT9vY09.exe	an9Gh92.exe
PID 3572 wrote to memory of 544	3572	uT9vY09.exe	an9Gh92.exe
PID 544 wrote to memory of 2128	544	an9Gh92.exe	yd9LN78.exe
PID 544 wrote to memory of 2128	544	an9Gh92.exe	yd9LN78.exe
PID 544 wrote to memory of 2128	544	an9Gh92.exe	yd9LN78.exe
PID 2128 wrote to memory of 5060	2128	yd9LN78.exe	1Xx31Yu7.exe
PID 2128 wrote to memory of 5060	2128	yd9LN78.exe	1Xx31Yu7.exe
PID 2128 wrote to memory of 5060	2128	yd9LN78.exe	1Xx31Yu7.exe
PID 5060 wrote to memory of 1416	5060	1Xx31Yu7.exe	AppLaunch.exe
PID 5060 wrote to memory of 1416	5060	1Xx31Yu7.exe	AppLaunch.exe
PID 5060 wrote to memory of 1416	5060	1Xx31Yu7.exe	AppLaunch.exe
PID 5060 wrote to memory of 1416	5060	1Xx31Yu7.exe	AppLaunch.exe
PID 5060 wrote to memory of 1416	5060	1Xx31Yu7.exe	AppLaunch.exe
PID 5060 wrote to memory of 1416	5060	1Xx31Yu7.exe	AppLaunch.exe
PID 5060 wrote to memory of 1416	5060	1Xx31Yu7.exe	AppLaunch.exe
PID 5060 wrote to memory of 1416	5060	1Xx31Yu7.exe	AppLaunch.exe
PID 2128 wrote to memory of 4620	2128	yd9LN78.exe	2sP0937.exe
PID 2128 wrote to memory of 4620	2128	yd9LN78.exe	2sP0937.exe
PID 2128 wrote to memory of 4620	2128	yd9LN78.exe	2sP0937.exe
PID 4620 wrote to memory of 1360	4620	2sP0937.exe	AppLaunch.exe
PID 4620 wrote to memory of 1360	4620	2sP0937.exe	AppLaunch.exe
PID 4620 wrote to memory of 1360	4620	2sP0937.exe	AppLaunch.exe
PID 4620 wrote to memory of 1360	4620	2sP0937.exe	AppLaunch.exe
PID 4620 wrote to memory of 1360	4620	2sP0937.exe	AppLaunch.exe
PID 4620 wrote to memory of 1360	4620	2sP0937.exe	AppLaunch.exe
PID 4620 wrote to memory of 1360	4620	2sP0937.exe	AppLaunch.exe
PID 4620 wrote to memory of 1360	4620	2sP0937.exe	AppLaunch.exe
PID 4620 wrote to memory of 1360	4620	2sP0937.exe	AppLaunch.exe
PID 4620 wrote to memory of 1360	4620	2sP0937.exe	AppLaunch.exe
PID 544 wrote to memory of 840	544	an9Gh92.exe	3kr06uP.exe
PID 544 wrote to memory of 840	544	an9Gh92.exe	3kr06uP.exe
PID 544 wrote to memory of 840	544	an9Gh92.exe	3kr06uP.exe
PID 3572 wrote to memory of 1876	3572	uT9vY09.exe	4Jx421So.exe
PID 3572 wrote to memory of 1876	3572	uT9vY09.exe	4Jx421So.exe
PID 3572 wrote to memory of 1876	3572	uT9vY09.exe	4Jx421So.exe
PID 1876 wrote to memory of 1216	1876	4Jx421So.exe	AppLaunch.exe
PID 1876 wrote to memory of 1216	1876	4Jx421So.exe	AppLaunch.exe
PID 1876 wrote to memory of 1216	1876	4Jx421So.exe	AppLaunch.exe
PID 1876 wrote to memory of 1216	1876	4Jx421So.exe	AppLaunch.exe
PID 1876 wrote to memory of 1216	1876	4Jx421So.exe	AppLaunch.exe
PID 1876 wrote to memory of 1216	1876	4Jx421So.exe	AppLaunch.exe
PID 1876 wrote to memory of 1216	1876	4Jx421So.exe	AppLaunch.exe
PID 1876 wrote to memory of 1216	1876	4Jx421So.exe	AppLaunch.exe
PID 1252 wrote to memory of 2328	1252	oa2sX98.exe	5NZ2vi5.exe
PID 1252 wrote to memory of 2328	1252	oa2sX98.exe	5NZ2vi5.exe
PID 1252 wrote to memory of 2328	1252	oa2sX98.exe	5NZ2vi5.exe
PID 2328 wrote to memory of 1604	2328	5NZ2vi5.exe	explothe.exe
PID 2328 wrote to memory of 1604	2328	5NZ2vi5.exe	explothe.exe
PID 2328 wrote to memory of 1604	2328	5NZ2vi5.exe	explothe.exe
PID 1784 wrote to memory of 4444	1784	Bu4yh37.exe	6sG1cY6.exe
PID 1784 wrote to memory of 4444	1784	Bu4yh37.exe	6sG1cY6.exe
PID 1784 wrote to memory of 4444	1784	Bu4yh37.exe	6sG1cY6.exe
PID 2144 wrote to memory of 1840	2144	74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea.exe	7Ws0jM83.exe
PID 2144 wrote to memory of 1840	2144	74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea.exe	7Ws0jM83.exe

C:\Users\Admin\AppData\Local\Temp\74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea.exe
"C:\Users\Admin\AppData\Local\Temp\74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bu4yh37.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bu4yh37.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oa2sX98.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oa2sX98.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uT9vY09.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uT9vY09.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3572
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\an9Gh92.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\an9Gh92.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yd9LN78.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yd9LN78.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Xx31Yu7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Xx31Yu7.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2sP0937.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2sP0937.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:1360
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3kr06uP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3kr06uP.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:840
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Jx421So.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Jx421So.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NZ2vi5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NZ2vi5.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1604
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3068
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:2804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6sG1cY6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6sG1cY6.exe
    3⤵
    - Executes dropped EXE
    PID:4444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Ws0jM83.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Ws0jM83.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
    3⤵
    PID:4536

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4156

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Ws0jM83.exe

Filesize
72KB

MD5
f992ee506add9509511781b06d1d268f

SHA1
ed74d925258821ae2cc99d52d553ae4b9ca90389

SHA256
6b0d65975c94ccb3af5541f5b5e9fa77637cac10eb4e2ed4814e84c40fdf288a

SHA512
c4f1c50c987260025f4a34d8353de19003bc6281c4779ca2edaf4d9dc7e273fcc42dbb295eaa51b13dfbbd684b65dc8c685e7265b2fcb2a9317275180774498b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bu4yh37.exe

Filesize
1.7MB

MD5
30128e8441862b71fb0fce630794aaea

SHA1
a0e8bedca7c685016f5214edaa50d2cd6ae805e4

SHA256
34677b0bba0197da060604deb3557c7df11371a506838d58b60f3272c6edbcb9

SHA512
51cacb5ffd33a4053b69377f833437f223b5fdce8be5eceb0ba93926215b2e9e84a405f36d3c190bbf3fbe334268786c602917c1683e41e852f3f5f584bc590e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6sG1cY6.exe

Filesize
181KB

MD5
a8eaa705e8b4f2aff03d61cf2e59f805

SHA1
439494b41d951afbefd5eac0b3939c45fa887dfa

SHA256
df5901a074241914d278cfbb273945f14c8fb8476a1bbaa669cfd7e5e5c3b0d0

SHA512
ef5f14db235e4209e50d91ae54d955a4de31c16ee0b559ea4250098e9c00f5dc555ebbfb27ce8efe8896ee280a6d57c5b831c4110105702014c1e26fd886acc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oa2sX98.exe

Filesize
1.5MB

MD5
7c14ccc0a20b53e6e890c114877e8210

SHA1
507eb4cc65cb683f366b0ad0b2e271ac83e1626d

SHA256
ad6c6ae289a2b253601414d8a1a1ddb256531b467f88a59635bdad8de79f5f78

SHA512
7905ff88691c271c215bd3aa850472bb8668c0b424eab42dbc0d09e9b284eedf4aaa171cc2ae5d399ad6b140d08d6c4410eed2245c9a9382b29d5bab8e616122

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NZ2vi5.exe

Filesize
222KB

MD5
112c26bbebe51d22f3f25ce641dabff6

SHA1
d6937d904662b14eb495de9ef540a94981cb2e24

SHA256
778657a4719839d351e5fca74c7fc4407438f3b6712fbc1018c4b55e54295dd1

SHA512
9ddc4da678a25e753586f0635db0a7daa186e6acc68e58b40e7ba0d9d606f470d430af3a7f5e2903d3c4ee29385b57a641d3a5cc41c573c475b4b55c2b0fe1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uT9vY09.exe

Filesize
1.3MB

MD5
c95ca9aee3807e6df564d2c730234f7e

SHA1
b8df2890bdca9be6f7ce918bfaf18f33c49e160d

SHA256
55da5d2c1a0a9ea0df386d4fe04396a39365a67031637265c68537fc6fb5dc3b

SHA512
471af69b47118a1c444ae9bced0147bfc1c979ba158c79ef12d9d4c5f49f70ff6cc38d006cf238b42dbd261d15f14716b72a6e90ed16781892e8678e1e1d3994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Jx421So.exe

Filesize
1.9MB

MD5
2816de0950b069f53f7e3baa00608abf

SHA1
a27f6811398e6de8884e63bd58ab607f747534be

SHA256
0d88533b8a4da778ff2891b8210674b37fa9d2316ccb4ee3aeabe9d8784b32d9

SHA512
e42786c3c6dbb7ae9d6e75905c34c5b17a8e36d6b80930b40a752de274b690781477a4427be522319a619266ac3da41fdf5c2f6c244c730ec3bc14bbf4f586b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\an9Gh92.exe

Filesize
783KB

MD5
13b56924ed98da3a9561cd76183f853a

SHA1
9c2b03aa57a4ca123f89431b6a64d12f7642843a

SHA256
73c8c6d2109b54249523eda900d67975e02c3c5263368acd95581cf7bb71da75

SHA512
90d1e13ec8d599cf231fdad2ed626e48e2d3f9aaf35ac1462ada60f9885d22754808347b005332376b1ca059dd60f4780e31ae0981c25a8240914a56a97a7aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3kr06uP.exe

Filesize
31KB

MD5
49ffdef9bb12e451344104335b847b2a

SHA1
03459c88df2f8944864988c6ebf2105aa0cdf433

SHA256
604ef5504547bacd451cce7042ba068209b4576967677f106a1a9a8bb3cf7f17

SHA512
6633009254df0cad9a979ebe29e77615087e5a329c800f7fcc3fb75bceebdf253605674a582d68984bda06964c598890367a09aeea527ec28f85792d78f28bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yd9LN78.exe

Filesize
660KB

MD5
80e71c61eeea398d7d6fc632743e5df2

SHA1
d49f145e7c308a043c0cfec899b5fd40dee0061b

SHA256
ca3c498490837dfee041cd00b0538d707d7f42222b3ed0c5a57d01d235d4a942

SHA512
e44b8016067a839b523d5891f12a7078192cfe643a3ca1c46b9e1477f566b1297063b5411a5715ef1096eed63b0897a191db2324ce504eb143f2132ba5602b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Xx31Yu7.exe

Filesize
1.6MB

MD5
049d449eac1c26d24d115f49b4e83569

SHA1
263d5321446ef685ce7af2089a09ebebb67dbd95

SHA256
df64fa46725273780518204105fd20128ebfb6503a1e3239b72de4f8bb54a5ad

SHA512
15606dff49df7b4d6a86321a94f60bade636055a671ef3b2057e045f8c7c36bdf195c3db345c1788cbb09cc5fd27136ad4f0cc8ad77cae3b805a4a63152a66ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2sP0937.exe

Filesize
1.8MB

MD5
c8a681708b984fa0fd57f40ba361e177

SHA1
4ba58a38d43c2df840207ffcc2351ffad37e21c3

SHA256
7da8a27710fa2bc045fbd5a4739a96e4151d3bdeb5021ee69f79096b71890b7c

SHA512
430f6ac1c4502e444ef8490ba916a3a67147e3774ecbf0a1c4de63b1cb5eb21fbea0d440036bfb9d98a11cafa56d8851778e0701b839f38a87e67c9fd6e79488

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
memory/840-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/840-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1216-66-0x00000000074B0000-0x0000000007A54000-memory.dmp

Filesize
5.6MB

Download
memory/1216-67-0x0000000006FE0000-0x0000000007072000-memory.dmp

Filesize
584KB

Download
memory/1216-72-0x0000000002430000-0x000000000243A000-memory.dmp

Filesize
40KB

Download
memory/1216-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1216-84-0x0000000008080000-0x0000000008698000-memory.dmp

Filesize
6.1MB

Download
memory/1216-85-0x00000000072C0000-0x00000000073CA000-memory.dmp

Filesize
1.0MB

Download
memory/1216-86-0x00000000071F0000-0x0000000007202000-memory.dmp

Filesize
72KB

Download
memory/1216-87-0x0000000007250000-0x000000000728C000-memory.dmp

Filesize
240KB

Download
memory/1216-90-0x00000000073D0000-0x000000000741C000-memory.dmp

Filesize
304KB

Download
memory/1360-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download