amadey | b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe
Size

1.4MB
MD5

acba689ca642e4676ebd1fd468b0fdf2
SHA1

15f59843a80bc39d57d7d179fb92fd55914a53ca
SHA256

b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f
SHA512

2102f04a4801ff95f204dbf1e263a854c3c97e8ee15d990923c48475f062dd92e8a71f2a1797735e6b368f21b124819127aa807d88749b5c94cb1de7be7ada6a
SSDEEP

24576:hZtMIfEBeLGsH/U/6Tlk9cBxsM6IyfWnd5UVG8DIsEVFxgTcaBegGRyyhZ:hZtM1eXfU/slljTvy4fPTjawgoyyhZ

Score

10^/10

amadey healer mystic redline smokeloader daf753 fb0fb8 monik backdoor discovery dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

monik

77.91.124.82:19071

Attributes

auth_value
da7d9ea0878f5901f1f8319d34bdccea

Extracted

Family

amadey

Version

3.89

Botnet

daf753

http://77.91.68.78

Attributes

install_dir
cb378487cf
install_file
legota.exe
strings_key
f3785cbeef2013b6724eed349fd316ba
url_paths
/help/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/2764-43-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral2/memory/2764-44-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral2/memory/2764-46-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/1836-39-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4756-66-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	t4283770.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	w5604015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 18 IoCs

pid	Process
1948	z5198359.exe
3840	z5192637.exe
2816	z4349081.exe
4572	z5012861.exe
2500	q6702043.exe
2840	r0307756.exe
640	s4853021.exe
3988	t4283770.exe
4800	explonde.exe
1396	u3897821.exe
1424	w5604015.exe
2208	legota.exe
2448	legota.exe
3620	explonde.exe
404	legota.exe
336	explonde.exe
2232	legota.exe
3956	explonde.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z5012861.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5198359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5192637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z4349081.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4856 set thread context of 4052	4856	b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe	93
PID 2500 set thread context of 1836	2500	q6702043.exe	102
PID 2840 set thread context of 2764	2840	r0307756.exe	106
PID 640 set thread context of 3860	640	s4853021.exe	109
PID 1396 set thread context of 4756	1396	u3897821.exe	124

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z5192637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z4349081.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q6702043.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r0307756.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z5012861.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s4853021.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	legota.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explonde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z5198359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w5604015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t4283770.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	u3897821.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4740	schtasks.exe
4388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1836	AppLaunch.exe
1836	AppLaunch.exe
1836	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4052	4856	b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe	93
PID 4856 wrote to memory of 4052	4856	b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe	93
PID 4856 wrote to memory of 4052	4856	b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe	93
PID 4856 wrote to memory of 4052	4856	b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe	93
PID 4856 wrote to memory of 4052	4856	b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe	93
PID 4856 wrote to memory of 4052	4856	b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe	93
PID 4856 wrote to memory of 4052	4856	b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe	93
PID 4856 wrote to memory of 4052	4856	b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe	93
PID 4856 wrote to memory of 4052	4856	b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe	93
PID 4856 wrote to memory of 4052	4856	b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe	93
PID 4052 wrote to memory of 1948	4052	AppLaunch.exe	94
PID 4052 wrote to memory of 1948	4052	AppLaunch.exe	94
PID 4052 wrote to memory of 1948	4052	AppLaunch.exe	94
PID 1948 wrote to memory of 3840	1948	z5198359.exe	96
PID 1948 wrote to memory of 3840	1948	z5198359.exe	96
PID 1948 wrote to memory of 3840	1948	z5198359.exe	96
PID 3840 wrote to memory of 2816	3840	z5192637.exe	98
PID 3840 wrote to memory of 2816	3840	z5192637.exe	98
PID 3840 wrote to memory of 2816	3840	z5192637.exe	98
PID 2816 wrote to memory of 4572	2816	z4349081.exe	99
PID 2816 wrote to memory of 4572	2816	z4349081.exe	99
PID 2816 wrote to memory of 4572	2816	z4349081.exe	99
PID 4572 wrote to memory of 2500	4572	z5012861.exe	100
PID 4572 wrote to memory of 2500	4572	z5012861.exe	100
PID 4572 wrote to memory of 2500	4572	z5012861.exe	100
PID 2500 wrote to memory of 1836	2500	q6702043.exe	102
PID 2500 wrote to memory of 1836	2500	q6702043.exe	102
PID 2500 wrote to memory of 1836	2500	q6702043.exe	102
PID 2500 wrote to memory of 1836	2500	q6702043.exe	102
PID 2500 wrote to memory of 1836	2500	q6702043.exe	102
PID 2500 wrote to memory of 1836	2500	q6702043.exe	102
PID 2500 wrote to memory of 1836	2500	q6702043.exe	102
PID 2500 wrote to memory of 1836	2500	q6702043.exe	102
PID 4572 wrote to memory of 2840	4572	z5012861.exe	103
PID 4572 wrote to memory of 2840	4572	z5012861.exe	103
PID 4572 wrote to memory of 2840	4572	z5012861.exe	103
PID 2840 wrote to memory of 4936	2840	r0307756.exe	105
PID 2840 wrote to memory of 4936	2840	r0307756.exe	105
PID 2840 wrote to memory of 4936	2840	r0307756.exe	105
PID 2840 wrote to memory of 2764	2840	r0307756.exe	106
PID 2840 wrote to memory of 2764	2840	r0307756.exe	106
PID 2840 wrote to memory of 2764	2840	r0307756.exe	106
PID 2840 wrote to memory of 2764	2840	r0307756.exe	106
PID 2840 wrote to memory of 2764	2840	r0307756.exe	106
PID 2840 wrote to memory of 2764	2840	r0307756.exe	106
PID 2840 wrote to memory of 2764	2840	r0307756.exe	106
PID 2840 wrote to memory of 2764	2840	r0307756.exe	106
PID 2840 wrote to memory of 2764	2840	r0307756.exe	106
PID 2840 wrote to memory of 2764	2840	r0307756.exe	106
PID 2816 wrote to memory of 640	2816	z4349081.exe	107
PID 2816 wrote to memory of 640	2816	z4349081.exe	107
PID 2816 wrote to memory of 640	2816	z4349081.exe	107
PID 640 wrote to memory of 3860	640	s4853021.exe	109
PID 640 wrote to memory of 3860	640	s4853021.exe	109
PID 640 wrote to memory of 3860	640	s4853021.exe	109
PID 640 wrote to memory of 3860	640	s4853021.exe	109
PID 640 wrote to memory of 3860	640	s4853021.exe	109
PID 640 wrote to memory of 3860	640	s4853021.exe	109
PID 3840 wrote to memory of 3988	3840	z5192637.exe	110
PID 3840 wrote to memory of 3988	3840	z5192637.exe	110
PID 3840 wrote to memory of 3988	3840	z5192637.exe	110
PID 3988 wrote to memory of 4800	3988	t4283770.exe	111
PID 3988 wrote to memory of 4800	3988	t4283770.exe	111
PID 3988 wrote to memory of 4800	3988	t4283770.exe	111

C:\Users\Admin\AppData\Local\Temp\b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe
"C:\Users\Admin\AppData\Local\Temp\b23310b86d80bffcffe35c6f92eb831253f3a28c63950541948e3a6fcf5b1e2f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5198359.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5198359.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5192637.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5192637.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4349081.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4349081.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5012861.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5012861.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6702043.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6702043.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0307756.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0307756.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4853021.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4853021.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        
        PID:3860
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4283770.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4283770.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3897821.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3897821.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1396
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5604015.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5604015.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2208
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4388
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:636
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:224
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:828

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3620

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:404

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:336

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5604015.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5198359.exe

Filesize
1.0MB

MD5
7ed293af132f02ed5e378a43fac25403

SHA1
b4911c489cf719b474c9b8aff09c5e485b651587

SHA256
90379f5d67425fc3317d64e99f470381a4da17456ac25883719515ccc0fccb01

SHA512
b56dbfc69e4eaa08b2c9a70984f582f8de45cab6dbf9d444270263baf14218b4de33c1eecac2618eb242d83bb9f3b76bc3d98d64ed193cecc2dfec9cd3eeb425

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3897821.exe

Filesize
393KB

MD5
eeea4f4c5af017b5332fefac016fd9c1

SHA1
1094b2a495179789b038b5a7f286c30a07eb5784

SHA256
c73a1b955800570844711119a721f8aefa7e2a1918394043212c2e37a78d8508

SHA512
1bcb0ccadffca06e229555d99c51a0c1ba41591a25b0a9b9e071f09d15dcd6dbfeb6519b5d2270670052a43001e4c4ea205aed49a283f351978c900bec1a7cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5192637.exe

Filesize
759KB

MD5
f14a07b37201528e46522b19e6fd24c0

SHA1
75f048abf01ebfe0bdc2337724488af678bed0e0

SHA256
29b1701c2ec20554bf4e1f6275ed61ba049120a6462754b430eec543445c7bfe

SHA512
80dd3351ceedee8b6f7e0341a57fc58552d76ba50b98b6c4de864bc03d172e11d1a67c65c8c9d0a49b8101d754d2573a91a768eed1be9daf74e72fd83ea3df17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4283770.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4349081.exe

Filesize
576KB

MD5
08663f1249c5ca536e5879ef3565abe7

SHA1
e92913afdf791e794bb8e6f65a299c819b9badfc

SHA256
0a7ba8a0873af62ea4a6ad99346154ca5e1221a23dd90bd0ac3157f1f6008064

SHA512
553bc1168da3095f989b2c380e2df7cc51657cf759d3b7008c633f90a8e79e17c04fe3e6ec158622a8eefa01f8d7432749621a73da32025c03f2edb256b6f9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4853021.exe

Filesize
249KB

MD5
b5d40530be6bfc62e9a56bb97b87c485

SHA1
d769ac8ad8b5c9b2b9784704ff0bdec47bd927ed

SHA256
41cf7742424e33203f2674e96ef0f9e0c8d92ecf1a76f3f8e3932daaacad75e7

SHA512
2ea331c8049fbcab02382fa347c77d189f518a202dbb6148699ab8f6685964a6fe763546b618070ecde174f5cac2c067801979a6c53c574379aeca5475e70a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5012861.exe

Filesize
341KB

MD5
a6aba2356148aa0baf984cd16a3e4634

SHA1
230095a830f4077fb6260de79ff65460888d7f78

SHA256
05d8fbc3cf0087f3b5e6a454ed733679bb10ce88347320b8e8c87d19e4de9d39

SHA512
c787699449c705295ec6326079924a07e82091e285523c963c38a1062c56498bfc6ffa57d20bd6c1737f499773ffacbfa87c78f5bf8bd4b16a8ec61cf0bdc288

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6702043.exe

Filesize
230KB

MD5
88aa5110d74866f768f0401dc35bb19f

SHA1
763b5948fbf4246541484c9bd10ebc5fd84fc2e8

SHA256
b4c4bad36a4048e1dfcd9e1745cdef528b7de5975f8f38f541e59bebbd857281

SHA512
94c4d57e0c14f7b6934a24573ecf03e229d3194b408c59638bcd220943d9dec872ebe958e38cb4e4a1b1918fab6276240336d813af2519ae231a3e49f196b0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0307756.exe

Filesize
359KB

MD5
36efdceb69a8bc9f2a65c58896c57334

SHA1
37de0e666965e979c8f2684aa25d750f65028bda

SHA256
83542dfff470bea9d8061ba5298222f8930f5c2ad35e4ebefef2723cd576aa85

SHA512
dcb315bfc5e6f05a46ab5b7b47defcc498c8c42a70d990de6e34c9368f78b578c90a30a1736681b86ce3e8c7e02c0840634f840d52c18d2a136e4057b075485a

Download Submit
memory/1836-39-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2764-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2764-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2764-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3860-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4052-80-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4052-3-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4052-2-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4052-1-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4052-0-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4756-66-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4756-72-0x0000000001430000-0x0000000001436000-memory.dmp

Filesize
24KB

Download
memory/4756-81-0x000000000B110000-0x000000000B728000-memory.dmp

Filesize
6.1MB

Download
memory/4756-82-0x000000000AC50000-0x000000000AD5A000-memory.dmp

Filesize
1.0MB

Download
memory/4756-83-0x000000000AB90000-0x000000000ABA2000-memory.dmp

Filesize
72KB

Download
memory/4756-84-0x000000000ABF0000-0x000000000AC2C000-memory.dmp

Filesize
240KB

Download
memory/4756-85-0x0000000004FF0000-0x000000000503C000-memory.dmp

Filesize
304KB

Download