amadey | 2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe
Size

1.4MB
MD5

935c16b84b04d892fb5a262aff32956f
SHA1

d15409dc5d816f2f7702a848dc83c6633bbd8ade
SHA256

2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36
SHA512

08f4482ee30a9d66c1c6969f23ce1f76f859bd75fff8e16007e602a0287d046217999bee9f045744c0aa2dcef95c868bfdc01aa79f616083e42b4e53a7bc5075
SSDEEP

24576:6ZtnYUWiih89GcIB7ql5/p5QCgSFKdAHvNpDGkRlBgVOT1vbtrM9JhZ:6ZtnYUWiih84c0c+3So2PqkLBTKhZ

Score

10^/10

amadey healer mystic redline smokeloader fb0fb8 monik backdoor discovery dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

monik

77.91.124.82:19071

Attributes

auth_value
da7d9ea0878f5901f1f8319d34bdccea

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/4800-43-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral2/memory/4800-46-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral2/memory/4800-44-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/1376-39-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2180-66-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	t0875179.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	w9362255.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 16 IoCs

pid	Process
3560	z8619904.exe
3848	z2475312.exe
640	z7469080.exe
452	z9060852.exe
1868	q1023611.exe
5044	r2807874.exe
2468	s4621472.exe
2364	t0875179.exe
1704	explonde.exe
4708	u0035883.exe
1484	w9362255.exe
2756	legota.exe
548	legota.exe
1940	explonde.exe
1952	legota.exe
3088	explonde.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9060852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8619904.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2475312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7469080.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 4832	2416	2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe	95
PID 1868 set thread context of 1376	1868	q1023611.exe	104
PID 5044 set thread context of 4800	5044	r2807874.exe	107
PID 2468 set thread context of 2452	2468	s4621472.exe	110
PID 4708 set thread context of 2180	4708	u0035883.exe	125

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z8619904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w9362255.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s4621472.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z2475312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z7469080.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	u0035883.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	legota.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r2807874.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explonde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z9060852.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q1023611.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t0875179.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
924	schtasks.exe
1328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1376	AppLaunch.exe
1376	AppLaunch.exe
1376	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4832	2416	2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe	95
PID 2416 wrote to memory of 4832	2416	2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe	95
PID 2416 wrote to memory of 4832	2416	2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe	95
PID 2416 wrote to memory of 4832	2416	2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe	95
PID 2416 wrote to memory of 4832	2416	2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe	95
PID 2416 wrote to memory of 4832	2416	2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe	95
PID 2416 wrote to memory of 4832	2416	2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe	95
PID 2416 wrote to memory of 4832	2416	2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe	95
PID 2416 wrote to memory of 4832	2416	2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe	95
PID 2416 wrote to memory of 4832	2416	2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe	95
PID 4832 wrote to memory of 3560	4832	AppLaunch.exe	96
PID 4832 wrote to memory of 3560	4832	AppLaunch.exe	96
PID 4832 wrote to memory of 3560	4832	AppLaunch.exe	96
PID 3560 wrote to memory of 3848	3560	z8619904.exe	97
PID 3560 wrote to memory of 3848	3560	z8619904.exe	97
PID 3560 wrote to memory of 3848	3560	z8619904.exe	97
PID 3848 wrote to memory of 640	3848	z2475312.exe	98
PID 3848 wrote to memory of 640	3848	z2475312.exe	98
PID 3848 wrote to memory of 640	3848	z2475312.exe	98
PID 640 wrote to memory of 452	640	z7469080.exe	99
PID 640 wrote to memory of 452	640	z7469080.exe	99
PID 640 wrote to memory of 452	640	z7469080.exe	99
PID 452 wrote to memory of 1868	452	z9060852.exe	100
PID 452 wrote to memory of 1868	452	z9060852.exe	100
PID 452 wrote to memory of 1868	452	z9060852.exe	100
PID 1868 wrote to memory of 1376	1868	q1023611.exe	104
PID 1868 wrote to memory of 1376	1868	q1023611.exe	104
PID 1868 wrote to memory of 1376	1868	q1023611.exe	104
PID 1868 wrote to memory of 1376	1868	q1023611.exe	104
PID 1868 wrote to memory of 1376	1868	q1023611.exe	104
PID 1868 wrote to memory of 1376	1868	q1023611.exe	104
PID 1868 wrote to memory of 1376	1868	q1023611.exe	104
PID 1868 wrote to memory of 1376	1868	q1023611.exe	104
PID 452 wrote to memory of 5044	452	z9060852.exe	105
PID 452 wrote to memory of 5044	452	z9060852.exe	105
PID 452 wrote to memory of 5044	452	z9060852.exe	105
PID 5044 wrote to memory of 4800	5044	r2807874.exe	107
PID 5044 wrote to memory of 4800	5044	r2807874.exe	107
PID 5044 wrote to memory of 4800	5044	r2807874.exe	107
PID 5044 wrote to memory of 4800	5044	r2807874.exe	107
PID 5044 wrote to memory of 4800	5044	r2807874.exe	107
PID 5044 wrote to memory of 4800	5044	r2807874.exe	107
PID 5044 wrote to memory of 4800	5044	r2807874.exe	107
PID 5044 wrote to memory of 4800	5044	r2807874.exe	107
PID 5044 wrote to memory of 4800	5044	r2807874.exe	107
PID 5044 wrote to memory of 4800	5044	r2807874.exe	107
PID 640 wrote to memory of 2468	640	z7469080.exe	108
PID 640 wrote to memory of 2468	640	z7469080.exe	108
PID 640 wrote to memory of 2468	640	z7469080.exe	108
PID 2468 wrote to memory of 2452	2468	s4621472.exe	110
PID 2468 wrote to memory of 2452	2468	s4621472.exe	110
PID 2468 wrote to memory of 2452	2468	s4621472.exe	110
PID 2468 wrote to memory of 2452	2468	s4621472.exe	110
PID 2468 wrote to memory of 2452	2468	s4621472.exe	110
PID 2468 wrote to memory of 2452	2468	s4621472.exe	110
PID 3848 wrote to memory of 2364	3848	z2475312.exe	111
PID 3848 wrote to memory of 2364	3848	z2475312.exe	111
PID 3848 wrote to memory of 2364	3848	z2475312.exe	111
PID 2364 wrote to memory of 1704	2364	t0875179.exe	112
PID 2364 wrote to memory of 1704	2364	t0875179.exe	112
PID 2364 wrote to memory of 1704	2364	t0875179.exe	112
PID 3560 wrote to memory of 4708	3560	z8619904.exe	113
PID 3560 wrote to memory of 4708	3560	z8619904.exe	113
PID 3560 wrote to memory of 4708	3560	z8619904.exe	113

C:\Users\Admin\AppData\Local\Temp\2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe
"C:\Users\Admin\AppData\Local\Temp\2d527493e95a37af81ce778bd0696292aa1e9f936cc84970c047bc868d70ea36.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8619904.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8619904.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2475312.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2475312.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3848
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7469080.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7469080.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9060852.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9060852.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1023611.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1023611.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2807874.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2807874.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4621472.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4621472.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        
        PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0875179.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0875179.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0035883.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0035883.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4708
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9362255.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9362255.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2756
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1328
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3808
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3684

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:548

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8619904.exe

Filesize
1023KB

MD5
428ddfda70f8bde7495180b25ac3aafc

SHA1
dbcd787294dc12acb157769ce182b36d5a55dfee

SHA256
b0a8a4b5972d1b580e3662053f90393adde933dc0088daf74c48b4d0c454e406

SHA512
06b65ca03d4d29b2937c295bf0021fc43fc631ad6e1ec804cf83939d1a8a6c52b52e9de7b131e6e3f9d96b5d6bbd6e00299abf53031cd3f5f96c7b42a6664c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0035883.exe

Filesize
393KB

MD5
0e8be993f2a2369d2f22c4065c84306c

SHA1
30f6c49b9b16d47bacbc0e686dfe081aeae53fe8

SHA256
8e99064c6dd967c138e525e397e16bdbd2ce159897b777bb7df2673de0247859

SHA512
0f400ac673fe72d43f5907ed345c6edc38c1d65d6332bf847849ed6c9129efc473c6a9a0d5d1cc389d4e86992c8dd4b468d09346cd2401b051f508622ac018ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2475312.exe

Filesize
757KB

MD5
e04bd3b3e1803d97570712012554726f

SHA1
146ccb2f1438853dd55b5966a67f94d6e1cdbe07

SHA256
f1c4986c5069cece27970b0b502dda0f0b8b55d30505480195ae01a4a7e0af31

SHA512
756160496626f285db5e15cf4ecd045e40f06b07d973dce55fac5ae844eb227dcc85b68583827f5c600b774a902f2d4f32028b08cd858bfe9ee3fac453b31c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0875179.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7469080.exe

Filesize
574KB

MD5
1dbbdeb3b11cdf3f78f16eca64173d3b

SHA1
93081e4ff93314078b5df11029151644cb5bd3b2

SHA256
84ddab5c745dfa09952a20b984d23b717e43c5e78d3c861ee3d2541b3effc447

SHA512
0ae2251b804a67d18ba1981bb97409097c20fd013b3bd1f2a71ed52e61ac2d33377092f3618ae24f3673cf47e156b9550263975ae92f69d6e2f894a1da4dce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4621472.exe

Filesize
249KB

MD5
755102cc80d3f9958ee8a74953b95134

SHA1
6552f022fbff1a426c8faf3834b3948a5ff8c8ee

SHA256
531dc17ba5776f4890634b5f4871172bc5614a87d5e589df40de4ff917ea9c3f

SHA512
6c61fd6cecadc105457bc5e1c6e3f3bff755cfa1f7904b8bb8795f709c86b0629ca8b085d1c9b1658de02f0e8e8e387c552bbc7bce6a585d33e6dacea58c9b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9060852.exe

Filesize
339KB

MD5
a53175e75ba3781efb639bfc7de6c871

SHA1
17d3a0c81171693f50d4a2d036b2fb33e6780b9d

SHA256
f55182aff4262fa4c8e800a8bb176fbdecc5e71979d949273233a1b9eb41eeba

SHA512
fe62513083abd4d5edee46d584fe4e0393f2ff393ae7ae7c2a8465be888a84605ece5d86c2d83ebe88d69cf027ae18850fb06808015693ffac66a5163c19c1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1023611.exe

Filesize
230KB

MD5
649bfa61745252187c8d6d654102a2d2

SHA1
886b037fae62e3f984d174df4237a734ce58f483

SHA256
0239b1dc5c7632fadd9f5813aff1ca0ac27569c7f0e92c56fe0d41e61c607224

SHA512
907c0fd5ee036048e9218b2d7f9daec75f3236b072a71ebc47018d66b2f66839e5078cd8796d8cb3939748cf717bfefc1c05f037c7babee776e27e15fa3ca8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2807874.exe

Filesize
359KB

MD5
044b9f99c959e780f217d07998b4dc79

SHA1
bff80dbea107f3bf097576efb87668bdd3851d7a

SHA256
a5c7d93b354190af5109498cf4ee2b743f063e8780eef670327de428fefc589c

SHA512
69a393d4e94b3d1b874121e7da3cb8c27ec46b374bb01fae8a4805155a19f3edda82c897895d2088715a30830937ddf7053a449e457631e725351fa7e6f1351c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
memory/1376-39-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2180-66-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2180-81-0x0000000005AE0000-0x00000000060F8000-memory.dmp

Filesize
6.1MB

Download
memory/2180-85-0x00000000056E0000-0x000000000572C000-memory.dmp

Filesize
304KB

Download
memory/2180-84-0x0000000005550000-0x000000000558C000-memory.dmp

Filesize
240KB

Download
memory/2180-83-0x00000000054F0000-0x0000000005502000-memory.dmp

Filesize
72KB

Download
memory/2180-72-0x0000000002CC0000-0x0000000002CC6000-memory.dmp

Filesize
24KB

Download
memory/2180-82-0x00000000055D0000-0x00000000056DA000-memory.dmp

Filesize
1.0MB

Download
memory/2452-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4800-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4800-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4800-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4832-0-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4832-80-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4832-1-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4832-2-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4832-3-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download