amadey | 63aa088983e33c8b1f62d9b84b5ae21a20d88c5ea19e3e5b47ac42ce2d41c2bb

Analysis

max time kernel
108s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

560aed3fba4d4f0c2a4ca859f807a950N.exe
Size

1.4MB
MD5

560aed3fba4d4f0c2a4ca859f807a950
SHA1

92e07821962a3d467524960e609f8442e67d2150
SHA256

63aa088983e33c8b1f62d9b84b5ae21a20d88c5ea19e3e5b47ac42ce2d41c2bb
SHA512

962490d8283ff1830d6a41c7ec8df7f7210375994664effead975b62bfa223e454aa85f5f59b5628a694ef8d44c5b5cf0b50e0e2ca9d064a7528fd495b34e036
SSDEEP

24576:eyN/XTIfxSt6ABGo+qh2TKwEKKcNF5JvzluAqc67c8l2FROKUd01Jrr:tNbeS8sGotSJhsG67c5jVzn

Score

10^/10

amadey mystic redline smokeloader 04d170 grome backdoor discovery evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3948-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3948-42-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3948-40-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/files/0x00070000000234e0-72.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3880-51-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	5CH0yp6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 13 IoCs

pid	Process
64	rM4nh51.exe
4804	gt0Up90.exe
2428	KV7OX38.exe
2836	kA5VZ09.exe
4288	1JQ37Np8.exe
1988	2bw0440.exe
2396	3UN07Yr.exe
3152	4XJ096rf.exe
892	5CH0yp6.exe
5108	explothe.exe
1548	6dc8AC9.exe
4172	explothe.exe
688	explothe.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	560aed3fba4d4f0c2a4ca859f807a950N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rM4nh51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	gt0Up90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	KV7OX38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	kA5VZ09.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4288 set thread context of 3348	4288	1JQ37Np8.exe	92
PID 1988 set thread context of 3948	1988	2bw0440.exe	98
PID 3152 set thread context of 3880	3152	4XJ096rf.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4924	4288	WerFault.exe	89
1712	1988	WerFault.exe	97
840	3152	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6dc8AC9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	560aed3fba4d4f0c2a4ca859f807a950N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rM4nh51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explothe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4XJ096rf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5CH0yp6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bw0440.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kA5VZ09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3UN07Yr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gt0Up90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KV7OX38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1JQ37Np8.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3UN07Yr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3UN07Yr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3UN07Yr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3348	AppLaunch.exe
3348	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3348	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 64	2932	560aed3fba4d4f0c2a4ca859f807a950N.exe	84
PID 2932 wrote to memory of 64	2932	560aed3fba4d4f0c2a4ca859f807a950N.exe	84
PID 2932 wrote to memory of 64	2932	560aed3fba4d4f0c2a4ca859f807a950N.exe	84
PID 64 wrote to memory of 4804	64	rM4nh51.exe	85
PID 64 wrote to memory of 4804	64	rM4nh51.exe	85
PID 64 wrote to memory of 4804	64	rM4nh51.exe	85
PID 4804 wrote to memory of 2428	4804	gt0Up90.exe	86
PID 4804 wrote to memory of 2428	4804	gt0Up90.exe	86
PID 4804 wrote to memory of 2428	4804	gt0Up90.exe	86
PID 2428 wrote to memory of 2836	2428	KV7OX38.exe	87
PID 2428 wrote to memory of 2836	2428	KV7OX38.exe	87
PID 2428 wrote to memory of 2836	2428	KV7OX38.exe	87
PID 2836 wrote to memory of 4288	2836	kA5VZ09.exe	89
PID 2836 wrote to memory of 4288	2836	kA5VZ09.exe	89
PID 2836 wrote to memory of 4288	2836	kA5VZ09.exe	89
PID 4288 wrote to memory of 2104	4288	1JQ37Np8.exe	91
PID 4288 wrote to memory of 2104	4288	1JQ37Np8.exe	91
PID 4288 wrote to memory of 2104	4288	1JQ37Np8.exe	91
PID 4288 wrote to memory of 3348	4288	1JQ37Np8.exe	92
PID 4288 wrote to memory of 3348	4288	1JQ37Np8.exe	92
PID 4288 wrote to memory of 3348	4288	1JQ37Np8.exe	92
PID 4288 wrote to memory of 3348	4288	1JQ37Np8.exe	92
PID 4288 wrote to memory of 3348	4288	1JQ37Np8.exe	92
PID 4288 wrote to memory of 3348	4288	1JQ37Np8.exe	92
PID 4288 wrote to memory of 3348	4288	1JQ37Np8.exe	92
PID 4288 wrote to memory of 3348	4288	1JQ37Np8.exe	92
PID 2836 wrote to memory of 1988	2836	kA5VZ09.exe	97
PID 2836 wrote to memory of 1988	2836	kA5VZ09.exe	97
PID 2836 wrote to memory of 1988	2836	kA5VZ09.exe	97
PID 1988 wrote to memory of 3948	1988	2bw0440.exe	98
PID 1988 wrote to memory of 3948	1988	2bw0440.exe	98
PID 1988 wrote to memory of 3948	1988	2bw0440.exe	98
PID 1988 wrote to memory of 3948	1988	2bw0440.exe	98
PID 1988 wrote to memory of 3948	1988	2bw0440.exe	98
PID 1988 wrote to memory of 3948	1988	2bw0440.exe	98
PID 1988 wrote to memory of 3948	1988	2bw0440.exe	98
PID 1988 wrote to memory of 3948	1988	2bw0440.exe	98
PID 1988 wrote to memory of 3948	1988	2bw0440.exe	98
PID 1988 wrote to memory of 3948	1988	2bw0440.exe	98
PID 2428 wrote to memory of 2396	2428	KV7OX38.exe	101
PID 2428 wrote to memory of 2396	2428	KV7OX38.exe	101
PID 2428 wrote to memory of 2396	2428	KV7OX38.exe	101
PID 4804 wrote to memory of 3152	4804	gt0Up90.exe	102
PID 4804 wrote to memory of 3152	4804	gt0Up90.exe	102
PID 4804 wrote to memory of 3152	4804	gt0Up90.exe	102
PID 3152 wrote to memory of 3880	3152	4XJ096rf.exe	103
PID 3152 wrote to memory of 3880	3152	4XJ096rf.exe	103
PID 3152 wrote to memory of 3880	3152	4XJ096rf.exe	103
PID 3152 wrote to memory of 3880	3152	4XJ096rf.exe	103
PID 3152 wrote to memory of 3880	3152	4XJ096rf.exe	103
PID 3152 wrote to memory of 3880	3152	4XJ096rf.exe	103
PID 3152 wrote to memory of 3880	3152	4XJ096rf.exe	103
PID 3152 wrote to memory of 3880	3152	4XJ096rf.exe	103
PID 64 wrote to memory of 892	64	rM4nh51.exe	106
PID 64 wrote to memory of 892	64	rM4nh51.exe	106
PID 64 wrote to memory of 892	64	rM4nh51.exe	106
PID 892 wrote to memory of 5108	892	5CH0yp6.exe	109
PID 892 wrote to memory of 5108	892	5CH0yp6.exe	109
PID 892 wrote to memory of 5108	892	5CH0yp6.exe	109
PID 2932 wrote to memory of 1548	2932	560aed3fba4d4f0c2a4ca859f807a950N.exe	110
PID 2932 wrote to memory of 1548	2932	560aed3fba4d4f0c2a4ca859f807a950N.exe	110
PID 2932 wrote to memory of 1548	2932	560aed3fba4d4f0c2a4ca859f807a950N.exe	110
PID 5108 wrote to memory of 344	5108	explothe.exe	111
PID 5108 wrote to memory of 344	5108	explothe.exe	111

C:\Users\Admin\AppData\Local\Temp\560aed3fba4d4f0c2a4ca859f807a950N.exe
"C:\Users\Admin\AppData\Local\Temp\560aed3fba4d4f0c2a4ca859f807a950N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rM4nh51.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rM4nh51.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gt0Up90.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gt0Up90.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KV7OX38.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KV7OX38.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kA5VZ09.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kA5VZ09.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JQ37Np8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JQ37Np8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 592
        7⤵
        Program crash
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bw0440.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bw0440.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 584
        7⤵
        Program crash
        
        PID:1712
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3UN07Yr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3UN07Yr.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        
        PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4XJ096rf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4XJ096rf.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 584
        5⤵
        Program crash
        
        PID:840
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5CH0yp6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5CH0yp6.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:344
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6dc8AC9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6dc8AC9.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4288 -ip 4288
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1988 -ip 1988
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3152 -ip 3152
1⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6dc8AC9.exe

Filesize
183KB

MD5
c04e48272efe8cf86a6c5bf7b4867000

SHA1
617b104e1eaab45ca2c4ea3f7e70df511d5a9de1

SHA256
d5fc0ffcd2ec4e28d5f0faa3531d4d90ecd1b6e337ede3d087515819f4220133

SHA512
551b77950bd5afb375b10cc6b2cddf0ab8b68db4f2cefe3107d9c83686d043ac791971c5bbf036f39047c8f8d4366398f1fba47c0e94c68d0971625ea453c300

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rM4nh51.exe

Filesize
1.2MB

MD5
b60b2207ccf57bb627f3905b4a6e4469

SHA1
85e26a1c1992a475b890005c1b358bbc6703c588

SHA256
8fef4bb9920291e4c7dfdd5d28590023cb7234915e04c88732fbbc91a93725e0

SHA512
8870e3a416ef98a316201ae7dd7225f27e715db3587f80a2f235b1fcc573bcea305af2fe215a7cbd4f4cb1855cc3598c8e71e9cdc5a3e72060ca944cb396e32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5CH0yp6.exe

Filesize
220KB

MD5
14d7b1887aff197a340398a63aa29f33

SHA1
e40d3bc5fa60f720bca7dbc59d88101ab64a9455

SHA256
b43f30519d25d9a4cd81b348d56b0f11f342400ad68aa12ef5119eca399b3ffb

SHA512
c087bede71c3c4d9a7566b77fa5d6915ec5c4d96f8b79e2bdd851cd02c4c7175729e08e922a6a5d19c88b1759dd2c61ef3854d04f93a794f8b804b2bd8b2b57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gt0Up90.exe

Filesize
1.0MB

MD5
da6a1005b8ba510f293b5144c6401e43

SHA1
0de955acb487e0c06d052dd94f6483362ec638d7

SHA256
b95143add9ea693bf43586e6fe0cc363885571d876f915cd16c011864eba30af

SHA512
4d3e1ebdf482ea043e7f2b456bb408515892849ce845050a651aac26f20dcf1c967da790146d333a0a2b5271a94229099de9103d42728d4dddb17e69a2989bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4XJ096rf.exe

Filesize
1.1MB

MD5
c474cb24af058ec68f12ecedb0bd6087

SHA1
ba1cdb7706fc2085052d82a3ed402aa443a164d7

SHA256
8cbcd459d3ec3e02afb56c45998ee13d21a8cd608872d3a4b34a4e50271691e6

SHA512
cd55dee64cdebd241f7c2346eb1a623c039efbcc2d692c779d7fbe7a6b398ac2650f3ce9a7b19d9f0e7ae1c297703161872fbef045c089b052ec97c09a6cccaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KV7OX38.exe

Filesize
650KB

MD5
6946d71943b70d9a6fa22c25e34fa51b

SHA1
3a6b554727df225f46ee9879d41dee6259b3ad55

SHA256
5027ffeacccd9ff07e5ef6cb06af09a35468674d0a46b1188108446f5fb4101e

SHA512
6b7f9b78fd30dd06b937470094d22a53a6d702d3fb6c440b596763b41378fe2cb4a50df3e8cb20905eaf86db623f19769a2a71a3553981fc7ee2553be89ab672

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3UN07Yr.exe

Filesize
30KB

MD5
09e03431d5c55edc2bf60331609db8b4

SHA1
120111f6c575b9f3a2f457cf502aac650173d37c

SHA256
78a145e6819374ec83e9eb912c0fe2a9866d4bc76ffb29ea2b5b7601c475f8b4

SHA512
5abebc570d06728dd769a187a4450e574d692d64a9e8c6a6654d196e8a42222ff12ead4604f9bd9a1ab605fe86cf5af8f117f7b67f44210915cb26958b6b04e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kA5VZ09.exe

Filesize
525KB

MD5
00332eccf52e12a5e85cdedaf5d8f6b9

SHA1
3f38ca99af4065d7e47b597fa79f4950a4144c4c

SHA256
906dc069d8b736b880df4ea9c9e0147ee7ec56efad22e9098b021157a3d28848

SHA512
cdee85600af427e325795f1eda12a3339032007010a2c3f31dc0536850d9fa3cf65dbae7ce0f2e5e602573c97c20f0a55ddc9c1856c6923188f9ac13134e13e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1JQ37Np8.exe

Filesize
890KB

MD5
e978c7e1a5be84e958419fdcecd0e1f0

SHA1
16990d1c40986a496472fe3221d9ceb981e25f4a

SHA256
e72e37b2e1966aa59d99102486d99e0cded9faded978cdb8e7b1e59e49c4cb14

SHA512
9fb36bc7791fa24cd8e87ab2fbe02079361f299a84866882b945fab775e44408d112543aced0735cb4aa6267fe8c325925a20ca643cd47b2bb3e07a2ba49484a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bw0440.exe

Filesize
1.1MB

MD5
8a4f92e7bae66ff53f4af5d0b94d7f0b

SHA1
4a3e2802afd48fddcad3b3badc28261aac260ea7

SHA256
791eedb3d2a4b678426283d48a53a6b1d9a1e059d5ca71c942b4b854ea4f2cc5

SHA512
1d2140f8792e3ab56e1fbd956f4b2cc7a31efa698284644a858c43e373b2053840d76870a45eeac43cae5eca9bd6b9c2b1f5704e26b0b2c0732f0bec0fe96027

Download Submit
memory/2396-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2396-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3348-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3880-64-0x0000000008690000-0x0000000008CA8000-memory.dmp

Filesize
6.1MB

Download
memory/3880-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3880-52-0x0000000007AC0000-0x0000000008064000-memory.dmp

Filesize
5.6MB

Download
memory/3880-53-0x00000000075C0000-0x0000000007652000-memory.dmp

Filesize
584KB

Download
memory/3880-54-0x0000000002A80000-0x0000000002A8A000-memory.dmp

Filesize
40KB

Download
memory/3880-65-0x0000000007920000-0x0000000007A2A000-memory.dmp

Filesize
1.0MB

Download
memory/3880-66-0x00000000077B0000-0x00000000077C2000-memory.dmp

Filesize
72KB

Download
memory/3880-67-0x0000000007810000-0x000000000784C000-memory.dmp

Filesize
240KB

Download
memory/3880-73-0x0000000007850000-0x000000000789C000-memory.dmp

Filesize
304KB

Download
memory/3948-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download