amadey | 29a1b2044662e0dd7f3059854ed7d49d2511eca878ecf4aad8664292e62dd2d5

Analysis

max time kernel
29s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Small Malwares/1000002001/file300un.exe
Size

381KB
MD5

7b45848e20860513ef26eda7e13b0f1b
SHA1

a185781f7c61f9f3306e207d1711fce4643074be
SHA256

e2d2ea45cb38516498c31eb31b51508cadfe496d6517839ad2b7080973271624
SHA512

237fefa9f658dbf912e0777dd2de0ee37d1e8a88d3de0efb03bd63037a3812bee81ed61f46426bc0348f301485068eff94aa91c2283b2d580d10cccd08cdf8bd
SSDEEP

6144:rPlCBTtcDLxjD5lbKI42mZtgfW3aLxtzGyyHDF6vBrzAJ2dPjdL/Nbjl4G:rUBTGBPKGexUtzOFyzAJaH4G

Score

10^/10

amadey privateloader 9a3efc bootkit evasion execution loader persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

9a3efc

http://check-ftp.ru

Attributes

install_dir
b9695770f1
install_file
Dctooux.exe
strings_key
1d3a0f2941c4060dba7f23a378474944
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

cAsRTHHH9TxRHR70WbF5pKs0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	cAsRTHHH9TxRHR70WbF5pKs0.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

file300un.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

file300un.execAsRTHHH9TxRHR70WbF5pKs0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Small Malwares\1000002001\file300un.exe = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	cAsRTHHH9TxRHR70WbF5pKs0.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3576 powershell.exe
2080 powershell.exe
668 powershell.exe
Downloads MZ/PE file
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe

pid	process
3576	powershell.exe
2080	powershell.exe
668	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file300un.exeQQ9JE4VmVOl6pNd1RQSrgEKn.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	file300un.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Install.exe

Drops startup file 5 IoCs

Processes:

CasPol.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vjNq5JZ9CfA2CrseKhRbap7L.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F164nuuMgaULkk6SOWfPRnRn.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2n8BUjGMFVzZcdgZFJWWjGGq.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BVJJzq5ahBmxh0ru9M5qOeD4.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEUwZHPRR1epF09OkQ92kI2r.bat	CasPol.exe

Executes dropped EXE 11 IoCs

Processes:

QQ9JE4VmVOl6pNd1RQSrgEKn.exeQQ9JE4VmVOl6pNd1RQSrgEKn.exeIrmyOypUBa9c8HHAMaRZvrJl.exeDctooux.exeDctooux.execAsRTHHH9TxRHR70WbF5pKs0.exeUqCKWexXBUBEZ5HL9ZhGKcTD.exeInstall.exeInstall.exeDctooux.exeDctooux.exe

pid	process
5008	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
5172	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
2436	IrmyOypUBa9c8HHAMaRZvrJl.exe
3248	Dctooux.exe
1988	Dctooux.exe
4016	cAsRTHHH9TxRHR70WbF5pKs0.exe
3744	UqCKWexXBUBEZ5HL9ZhGKcTD.exe
1588	Install.exe
5852	Install.exe
5328	Dctooux.exe
3212	Dctooux.exe

Loads dropped DLL 1 IoCs

Processes:

IrmyOypUBa9c8HHAMaRZvrJl.exe

pid process

2436 IrmyOypUBa9c8HHAMaRZvrJl.exe

pid	process
2436	IrmyOypUBa9c8HHAMaRZvrJl.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

file300un.execAsRTHHH9TxRHR70WbF5pKs0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Small Malwares\1000002001\file300un.exe = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	cAsRTHHH9TxRHR70WbF5pKs0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

file300un.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

14 pastebin.com
17 pastebin.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

63 api.myip.com
64 ipinfo.io
65 ipinfo.io
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

IrmyOypUBa9c8HHAMaRZvrJl.exe

description ioc process

File opened for modification \??\PhysicalDrive0 IrmyOypUBa9c8HHAMaRZvrJl.exe

flow	ioc
14	pastebin.com
17	pastebin.com

flow	ioc
63	api.myip.com
64	ipinfo.io
65	ipinfo.io

description	ioc	process
File opened for modification	\??\PhysicalDrive0	IrmyOypUBa9c8HHAMaRZvrJl.exe

Drops file in System32 directory 4 IoCs

Processes:

cAsRTHHH9TxRHR70WbF5pKs0.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	cAsRTHHH9TxRHR70WbF5pKs0.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	cAsRTHHH9TxRHR70WbF5pKs0.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	cAsRTHHH9TxRHR70WbF5pKs0.exe
File opened for modification	C:\Windows\System32\GroupPolicy	cAsRTHHH9TxRHR70WbF5pKs0.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

file300un.exeQQ9JE4VmVOl6pNd1RQSrgEKn.exeDctooux.exeDctooux.exe

description	pid	process	target process
PID 2672 set thread context of 608	2672	file300un.exe	CasPol.exe
PID 5008 set thread context of 5172	5008	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 3248 set thread context of 1988	3248	Dctooux.exe	Dctooux.exe
PID 5328 set thread context of 3212	5328	Dctooux.exe	Dctooux.exe

Drops file in Windows directory 1 IoCs

Processes:

QQ9JE4VmVOl6pNd1RQSrgEKn.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job QQ9JE4VmVOl6pNd1RQSrgEKn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	QQ9JE4VmVOl6pNd1RQSrgEKn.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exeIrmyOypUBa9c8HHAMaRZvrJl.exepowershell.exepowershell.exe

pid	process
668	powershell.exe
668	powershell.exe
2436	IrmyOypUBa9c8HHAMaRZvrJl.exe
2436	IrmyOypUBa9c8HHAMaRZvrJl.exe
2436	IrmyOypUBa9c8HHAMaRZvrJl.exe
2436	IrmyOypUBa9c8HHAMaRZvrJl.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe
2080	powershell.exe
2080	powershell.exe
2080	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

file300un.exepowershell.exeCasPol.exeIrmyOypUBa9c8HHAMaRZvrJl.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2672	file300un.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	608	CasPol.exe
Token: SeManageVolumePrivilege	2436	IrmyOypUBa9c8HHAMaRZvrJl.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file300un.exeCasPol.exeQQ9JE4VmVOl6pNd1RQSrgEKn.exeQQ9JE4VmVOl6pNd1RQSrgEKn.exeDctooux.exeUqCKWexXBUBEZ5HL9ZhGKcTD.exeInstall.exeDctooux.exeInstall.execmd.exe

description	pid	process	target process
PID 2672 wrote to memory of 668	2672	file300un.exe	powershell.exe
PID 2672 wrote to memory of 668	2672	file300un.exe	powershell.exe
PID 2672 wrote to memory of 608	2672	file300un.exe	CasPol.exe
PID 2672 wrote to memory of 608	2672	file300un.exe	CasPol.exe
PID 2672 wrote to memory of 608	2672	file300un.exe	CasPol.exe
PID 2672 wrote to memory of 608	2672	file300un.exe	CasPol.exe
PID 2672 wrote to memory of 608	2672	file300un.exe	CasPol.exe
PID 2672 wrote to memory of 608	2672	file300un.exe	CasPol.exe
PID 2672 wrote to memory of 608	2672	file300un.exe	CasPol.exe
PID 2672 wrote to memory of 608	2672	file300un.exe	CasPol.exe
PID 608 wrote to memory of 5008	608	CasPol.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 608 wrote to memory of 5008	608	CasPol.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 608 wrote to memory of 5008	608	CasPol.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 5008 wrote to memory of 5172	5008	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 5008 wrote to memory of 5172	5008	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 5008 wrote to memory of 5172	5008	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 5008 wrote to memory of 5172	5008	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 5008 wrote to memory of 5172	5008	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 5008 wrote to memory of 5172	5008	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 5008 wrote to memory of 5172	5008	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 5008 wrote to memory of 5172	5008	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 5008 wrote to memory of 5172	5008	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 5008 wrote to memory of 5172	5008	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	QQ9JE4VmVOl6pNd1RQSrgEKn.exe
PID 608 wrote to memory of 2436	608	CasPol.exe	IrmyOypUBa9c8HHAMaRZvrJl.exe
PID 608 wrote to memory of 2436	608	CasPol.exe	IrmyOypUBa9c8HHAMaRZvrJl.exe
PID 608 wrote to memory of 2436	608	CasPol.exe	IrmyOypUBa9c8HHAMaRZvrJl.exe
PID 5172 wrote to memory of 3248	5172	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	Dctooux.exe
PID 5172 wrote to memory of 3248	5172	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	Dctooux.exe
PID 5172 wrote to memory of 3248	5172	QQ9JE4VmVOl6pNd1RQSrgEKn.exe	Dctooux.exe
PID 3248 wrote to memory of 1988	3248	Dctooux.exe	Dctooux.exe
PID 3248 wrote to memory of 1988	3248	Dctooux.exe	Dctooux.exe
PID 3248 wrote to memory of 1988	3248	Dctooux.exe	Dctooux.exe
PID 3248 wrote to memory of 1988	3248	Dctooux.exe	Dctooux.exe
PID 3248 wrote to memory of 1988	3248	Dctooux.exe	Dctooux.exe
PID 3248 wrote to memory of 1988	3248	Dctooux.exe	Dctooux.exe
PID 3248 wrote to memory of 1988	3248	Dctooux.exe	Dctooux.exe
PID 3248 wrote to memory of 1988	3248	Dctooux.exe	Dctooux.exe
PID 3248 wrote to memory of 1988	3248	Dctooux.exe	Dctooux.exe
PID 3248 wrote to memory of 1988	3248	Dctooux.exe	Dctooux.exe
PID 608 wrote to memory of 4016	608	CasPol.exe	cAsRTHHH9TxRHR70WbF5pKs0.exe
PID 608 wrote to memory of 4016	608	CasPol.exe	cAsRTHHH9TxRHR70WbF5pKs0.exe
PID 608 wrote to memory of 3744	608	CasPol.exe	UqCKWexXBUBEZ5HL9ZhGKcTD.exe
PID 608 wrote to memory of 3744	608	CasPol.exe	UqCKWexXBUBEZ5HL9ZhGKcTD.exe
PID 608 wrote to memory of 3744	608	CasPol.exe	UqCKWexXBUBEZ5HL9ZhGKcTD.exe
PID 3744 wrote to memory of 1588	3744	UqCKWexXBUBEZ5HL9ZhGKcTD.exe	Install.exe
PID 3744 wrote to memory of 1588	3744	UqCKWexXBUBEZ5HL9ZhGKcTD.exe	Install.exe
PID 3744 wrote to memory of 1588	3744	UqCKWexXBUBEZ5HL9ZhGKcTD.exe	Install.exe
PID 1588 wrote to memory of 5852	1588	Install.exe	Install.exe
PID 1588 wrote to memory of 5852	1588	Install.exe	Install.exe
PID 1588 wrote to memory of 5852	1588	Install.exe	Install.exe
PID 5328 wrote to memory of 3212	5328	Dctooux.exe	Dctooux.exe
PID 5328 wrote to memory of 3212	5328	Dctooux.exe	Dctooux.exe
PID 5328 wrote to memory of 3212	5328	Dctooux.exe	Dctooux.exe
PID 5328 wrote to memory of 3212	5328	Dctooux.exe	Dctooux.exe
PID 5328 wrote to memory of 3212	5328	Dctooux.exe	Dctooux.exe
PID 5328 wrote to memory of 3212	5328	Dctooux.exe	Dctooux.exe
PID 5328 wrote to memory of 3212	5328	Dctooux.exe	Dctooux.exe
PID 5328 wrote to memory of 3212	5328	Dctooux.exe	Dctooux.exe
PID 5328 wrote to memory of 3212	5328	Dctooux.exe	Dctooux.exe
PID 5328 wrote to memory of 3212	5328	Dctooux.exe	Dctooux.exe
PID 5852 wrote to memory of 2408	5852	Install.exe	cmd.exe
PID 5852 wrote to memory of 2408	5852	Install.exe	cmd.exe
PID 5852 wrote to memory of 2408	5852	Install.exe	cmd.exe
PID 2408 wrote to memory of 5532	2408	cmd.exe	forfiles.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

file300un.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe

C:\Users\Admin\AppData\Local\Temp\Small Malwares\1000002001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\Small Malwares\1000002001\file300un.exe"
1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Small Malwares\1000002001\file300un.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Users\Admin\Pictures\QQ9JE4VmVOl6pNd1RQSrgEKn.exe
    "C:\Users\Admin\Pictures\QQ9JE4VmVOl6pNd1RQSrgEKn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\Pictures\QQ9JE4VmVOl6pNd1RQSrgEKn.exe
      "C:\Users\Admin\Pictures\QQ9JE4VmVOl6pNd1RQSrgEKn.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:5172
    - - C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3248
      - C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
        6⤵
        Executes dropped EXE
        
        PID:1988
- - C:\Users\Admin\Pictures\IrmyOypUBa9c8HHAMaRZvrJl.exe
    "C:\Users\Admin\Pictures\IrmyOypUBa9c8HHAMaRZvrJl.exe" /s
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Users\Admin\Pictures\cAsRTHHH9TxRHR70WbF5pKs0.exe
    "C:\Users\Admin\Pictures\cAsRTHHH9TxRHR70WbF5pKs0.exe"
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Drops file in System32 directory
    PID:4016
- - C:\Users\Admin\Pictures\UqCKWexXBUBEZ5HL9ZhGKcTD.exe
    "C:\Users\Admin\Pictures\UqCKWexXBUBEZ5HL9ZhGKcTD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\7zS7FFD.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Users\Admin\AppData\Local\Temp\7zS828E.tmp\Install.exe
        
        .\Install.exe /yrVdidRYRgn "385118" /S
        5⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:5852
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        7⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:5604
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        7⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:2364
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        7⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:4348
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:216
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        7⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:4804
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3576
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        10⤵
        
        PID:1980
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5328
- C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
  C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
  2⤵
  - Executes dropped EXE
  PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
254f97caf20b39d0846821965f6c1d4b

SHA1
6b8492bf210551112d74fdba59c06e01e498959d

SHA256
c6698a3842dfc6493ca85cda0e881bd077f928bf5d707c8db45b5bc2c4910569

SHA512
9bc7e382d0597b7ba94d6a2447bfcfda5f6bd43dfcdee2e7796d7b527b4e99d68cc0f0a347668f07cc6aa25a63b1aa1b4d84c7abd4204ef64eee9b0b55e9dcc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
b20897aaf5fdb8a8ee365a94470c3c92

SHA1
8a1c6845b65219b99957f9b92abca2cd6157426b

SHA256
959b5ed68bc6cac024d8d7c3fc6d8ce590450e4457c81f0fd8a07ba7c7e900f7

SHA512
bcd490f4dbd48718ae960f1d6c8ea27aa9fd06165bc863bc64885fddf887da846935d21a9b13cef7a097f4867153acf249dd15536f5ea25f9e2cbd918ec91de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
653B

MD5
9762da1629c6f6e76282d00a0ecb3e23

SHA1
ed5600013e3d8c29f1ed85e4dca58795b868f44e

SHA256
e00b52797737e088c6213742a4e42e8da58eb0a30decbc219e09ee1ec2576df4

SHA512
58d3c304766ed09aaffd2d986f9eb26152e442062f18329ff031b5da0c5008f5ab926ea4ea2a1698a9aa3501baff01ce336f4a8fa7642a1e04cab9c24d34dadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
ccc8d9de176911a3194584246c9911a6

SHA1
9c3ef9a68250929819a742ea3c476740fd2f230b

SHA256
907dc39171aa7b9ab602b113ffd240b2ceef8df590296337242f275edded096e

SHA512
1563e6083a9467e56d93d8fdb4c35d25380d7a4695589af4fed94ef9e3bfe2c05b96e3f5082a261da432c0a3a40ee13e0181f5394aeec8108182953b6a432dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\162180587977

Filesize
75KB

MD5
c9eddbaa6ba04facaa820adb240704f0

SHA1
e0cd634edb7598ba13900c1e763f8c6026f1ae43

SHA256
c7d105acef86b8e7cfa9afe766274315da6469410470c19adc3caa0a347861ab

SHA512
9d9a4bdd6120ccb55d4ae20733f9a916589d528bfb77a99458db5891c151e18d97cfa5a32a21b649e7dda8f1ddc254ce9958697ee40ceeff2d832f020bb2e295

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFD.tmp\Install.exe

Filesize
6.3MB

MD5
ed183069dc2bda09cdec22ee3dd204fa

SHA1
1ae742ebbdf91626a034b2038fb00673f2851b0e

SHA256
d50a8266ab4877c01cf8164f4228bcc65d29c32dd732e29ffa54ecd4e096863f

SHA512
5bb0d40c1ac70b7784abca19f9874e237d7ae37c6747653e1c37b4b0d2384aa53ca133c1a83b431317bdb4bbb8754a97765e065fac64390eed89326aae64de15

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS828E.tmp\Install.exe

Filesize
6.7MB

MD5
a5dca05edc6eda6e2acfe7ca41641cc5

SHA1
b772813e63a424ae31a2bd75c0067be03aae0165

SHA256
986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae

SHA512
c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dv1dv0c0.ye5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{35417106-89ED-4ec4-BE4F-8B95F5FEB8CB}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\Pictures\IrmyOypUBa9c8HHAMaRZvrJl.exe

Filesize
1.5MB

MD5
cd4acedefa9ab5c7dccac667f91cef13

SHA1
bff5ce910f75aeae37583a63828a00ae5f02c4e7

SHA256
dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

SHA512
06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

Download Submit
C:\Users\Admin\Pictures\OGAitQRt4VcHStcaegCMaCkk.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\QQ9JE4VmVOl6pNd1RQSrgEKn.exe

Filesize
455KB

MD5
3549706345be03a87910ed3ba43c1f0a

SHA1
5bcc49d46433824ccc44a21a2c8cc3046312ad31

SHA256
4c882bbce43bf29bfd489793ad0e9b12833582b2200ec0cd8b45e5bccca665bc

SHA512
3ad374354f097e06ee07d295275903d99b0683953c0380a959dde155e20008541030f1568614364dcdf6c9dda44db175dbb58b4175ccfcc4974a607f436f274c

Download Submit
C:\Users\Admin\Pictures\UqCKWexXBUBEZ5HL9ZhGKcTD.exe

Filesize
7.3MB

MD5
f74fcc245dd45e9616656097665698b9

SHA1
dd2ad813cd1da59bcb19d6b81dbd60215b9bb987

SHA256
d1654381b2f43e13d88f2decbabe9695d09467fc26762f72f5dab3f43b0bd96e

SHA512
bead6f116b6d0d683389f323240acfcf717ae98b9c5d86c77c5d57dcca084abed6ccb6a4cc31b09a43bb368450a0645643200b65ab4260321c3f2b3b2d98a509

Download Submit
C:\Users\Admin\Pictures\cAsRTHHH9TxRHR70WbF5pKs0.exe

Filesize
3.6MB

MD5
4ffcc5239d44ce67cdca5bb8860dc294

SHA1
9d138b625009d9a6507aa18643283983c17b34e5

SHA256
087968d5bbf7708840237e83263c398912ea3916d12b19e36f510a53acfcf1d9

SHA512
3d9d67f253c3a4ba88a2e1f0d5782799ba1fe903a2d441fdc33d523a45cb89759ec75fe088b894eddc8cd8f3298eb45eadbbad45e791e09ed973ab094a0d4bf4

Download Submit
memory/608-5-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/608-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/608-216-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/668-18-0x00007FFA588C0000-0x00007FFA59381000-memory.dmp

Filesize
10.8MB

Download
memory/668-21-0x00007FFA588C0000-0x00007FFA59381000-memory.dmp

Filesize
10.8MB

Download
memory/668-17-0x00000143B8150000-0x00000143B8172000-memory.dmp

Filesize
136KB

Download
memory/668-7-0x00007FFA588C0000-0x00007FFA59381000-memory.dmp

Filesize
10.8MB

Download
memory/668-6-0x00007FFA588C3000-0x00007FFA588C5000-memory.dmp

Filesize
8KB

Download
memory/1988-96-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1988-184-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1988-116-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2080-232-0x0000000006D30000-0x0000000006D7C000-memory.dmp

Filesize
304KB

Download
memory/2080-226-0x0000000006160000-0x00000000064B4000-memory.dmp

Filesize
3.3MB

Download
memory/2672-0-0x0000022205CB0000-0x0000022205CBC000-memory.dmp

Filesize
48KB

Download
memory/2672-1-0x00007FFA588C3000-0x00007FFA588C5000-memory.dmp

Filesize
8KB

Download
memory/2672-3-0x00000222060F0000-0x000002220614A000-memory.dmp

Filesize
360KB

Download
memory/2672-22-0x00007FFA588C0000-0x00007FFA59381000-memory.dmp

Filesize
10.8MB

Download
memory/2672-2-0x00007FFA588C0000-0x00007FFA59381000-memory.dmp

Filesize
10.8MB

Download
memory/3212-200-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3212-189-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3576-191-0x0000000004DC0000-0x00000000053E8000-memory.dmp

Filesize
6.2MB

Download
memory/3576-210-0x0000000006DD0000-0x0000000006E66000-memory.dmp

Filesize
600KB

Download
memory/3576-194-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/3576-206-0x0000000005670000-0x00000000059C4000-memory.dmp

Filesize
3.3MB

Download
memory/3576-192-0x0000000004D70000-0x0000000004D92000-memory.dmp

Filesize
136KB

Download
memory/3576-208-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/3576-209-0x0000000005C40000-0x0000000005C8C000-memory.dmp

Filesize
304KB

Download
memory/3576-211-0x0000000006110000-0x000000000612A000-memory.dmp

Filesize
104KB

Download
memory/3576-212-0x0000000006160000-0x0000000006182000-memory.dmp

Filesize
136KB

Download
memory/3576-193-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/3576-213-0x0000000007420000-0x00000000079C4000-memory.dmp

Filesize
5.6MB

Download
memory/3576-190-0x0000000004650000-0x0000000004686000-memory.dmp

Filesize
216KB

Download
memory/4016-142-0x00007FF789420000-0x00007FF789C81000-memory.dmp

Filesize
8.4MB

Download
memory/5172-50-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5172-86-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5172-48-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5852-217-0x0000000010000000-0x00000000105CF000-memory.dmp

Filesize
5.8MB

Download