amadey | 7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df

General

Target

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Size

44KB
MD5

9d78ab0da1948de3977123755ef0fe7c
SHA1

b000aa9b5df426225a02f208b78416cc2f8dab86
SHA256

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df
SHA512

9576fdbeb8ad20a8ebcfc3121247f4e70a7e9240bea4122f471b813ea321566e45bc4db86fe5bed11ce17bbe14dc68cb82f29fe9df0cee78f0f6f90b5c756bf1
SSDEEP

768:BMbuPxqzgDwNIH/335cJX2om4VQRIEvmg5+FOKo5O:B1xv/H/335C2ozVQRItgMF4O

Score

10^/10

amadey 1176f2 discovery persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

C2

http://185.215.113.19

Attributes

install_dir
417fd29867
install_file
ednfoki.exe
strings_key
183201dc3defc4394182b4bff63c4065
url_paths
/CoreOPT/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exeovrflw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ovrflw.exe

Executes dropped EXE 4 IoCs

Processes:

ovrflw.exemswabnet.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

pid	process
3544	ovrflw.exe
2732	mswabnet.exe
2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exeovrflw.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df = "C:\\Users\\Admin\\Pictures\\Lighter Tech\\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Network Agent = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Network Agent\\mswabnet.exe\""	ovrflw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df = "C:\\Users\\Admin\\Pictures\\Lighter Tech\\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df = "C:\\Users\\Admin\\Pictures\\Lighter Tech\\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

description	pid	process	target process
PID 1560 set thread context of 4176	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 set thread context of 3376	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 3936 set thread context of 3048	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AppLaunch.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4060 schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

pid	process
4060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

pid	process
1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exeovrflw.exemswabnet.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

description	pid	process
Token: SeDebugPrivilege	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Token: SeDebugPrivilege	3544	ovrflw.exe
Token: SeDebugPrivilege	2732	mswabnet.exe
Token: SeDebugPrivilege	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Token: SeDebugPrivilege	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exeAppLaunch.exeovrflw.execmd.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

description	pid	process	target process
PID 1560 wrote to memory of 4788	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 1560 wrote to memory of 4788	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 1560 wrote to memory of 4788	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 1560 wrote to memory of 4176	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 1560 wrote to memory of 4176	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 1560 wrote to memory of 4176	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 1560 wrote to memory of 4176	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 1560 wrote to memory of 4176	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 1560 wrote to memory of 4176	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 1560 wrote to memory of 4176	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 1560 wrote to memory of 4176	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 1560 wrote to memory of 4176	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 1560 wrote to memory of 4176	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 4176 wrote to memory of 3544	4176	AppLaunch.exe	ovrflw.exe
PID 4176 wrote to memory of 3544	4176	AppLaunch.exe	ovrflw.exe
PID 3544 wrote to memory of 2732	3544	ovrflw.exe	mswabnet.exe
PID 3544 wrote to memory of 2732	3544	ovrflw.exe	mswabnet.exe
PID 1560 wrote to memory of 1812	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	cmd.exe
PID 1560 wrote to memory of 1812	1560	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	cmd.exe
PID 1812 wrote to memory of 4060	1812	cmd.exe	schtasks.exe
PID 1812 wrote to memory of 4060	1812	cmd.exe	schtasks.exe
PID 2316 wrote to memory of 2640	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 2640	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 2640	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 1304	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 1304	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 1304	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 3376	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 3376	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 3376	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 3376	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 3376	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 3376	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 3376	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 3376	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 3376	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 3376	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 2316 wrote to memory of 3428	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	cmd.exe
PID 2316 wrote to memory of 3428	2316	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	cmd.exe
PID 3936 wrote to memory of 3048	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 3936 wrote to memory of 3048	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 3936 wrote to memory of 3048	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 3936 wrote to memory of 3048	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 3936 wrote to memory of 3048	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 3936 wrote to memory of 3048	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 3936 wrote to memory of 3048	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 3936 wrote to memory of 3048	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 3936 wrote to memory of 3048	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 3936 wrote to memory of 3048	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	AppLaunch.exe
PID 3936 wrote to memory of 4644	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	cmd.exe
PID 3936 wrote to memory of 4644	3936	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
"C:\Users\Admin\AppData\Local\Temp\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Users\Admin\AppData\Local\Temp\1000279001\ovrflw.exe
    "C:\Users\Admin\AppData\Local\Temp\1000279001\ovrflw.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df" /TR "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /SC MINUTE /MO 1 /TN "7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df" /TR "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4060

C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
"C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df" /TR "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" /F
  2⤵
  PID:3428

C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
"C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df" /TR "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" /F
  2⤵
  PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000279001\ovrflw.exe

Filesize
1.4MB

MD5
3adfc7cf1e296c6fb703991c5233721d

SHA1
fddd2877ce7952b91c3f841ca353235d6d8eea67

SHA256
6bc23179d079d220337ede270113d4a474b549f5f0c7fd57f3d33d318f7ae471

SHA512
5136525626c3021baf8d35be0d76473cc03bfe2433682d613650b8e4bb444f767d2d14ac0070ce46c4c220e0a71a8f2e789e4e684e2042bd78b60f68f35a652b

Download Submit
C:\Users\Admin\AppData\Local\Temp\302416131143

Filesize
81KB

MD5
31f8de3915f08a861f55707db3306fe6

SHA1
01c1890cdb1038dc381cf8b7e2f561d7b6cbad22

SHA256
662d2ec8a60b5d41d2bd9e5d3be03da72bca3cd2748d0c7e706e2bf47e6b7341

SHA512
e64dbc604f75db76b61d9308e1bbd5d46cb0d7148bbd68d28ba759f4e7473e70d4c55c6c4efcb13a24b8cb6be037d5c1aebb07ac985c5b4de6f4ee5be34b68e0

Download Submit
C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Filesize
44KB

MD5
9d78ab0da1948de3977123755ef0fe7c

SHA1
b000aa9b5df426225a02f208b78416cc2f8dab86

SHA256
7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df

SHA512
9576fdbeb8ad20a8ebcfc3121247f4e70a7e9240bea4122f471b813ea321566e45bc4db86fe5bed11ce17bbe14dc68cb82f29fe9df0cee78f0f6f90b5c756bf1

Download Submit
memory/1560-7-0x00007FF9FB7D0000-0x00007FF9FC291000-memory.dmp

Filesize
10.8MB

Download
memory/1560-4-0x00007FF9FB7D0000-0x00007FF9FC291000-memory.dmp

Filesize
10.8MB

Download
memory/1560-5-0x000000001C3E0000-0x000000001C464000-memory.dmp

Filesize
528KB

Download
memory/1560-0-0x00007FF9FB7D3000-0x00007FF9FB7D5000-memory.dmp

Filesize
8KB

Download
memory/1560-6-0x000000001C5D0000-0x000000001C640000-memory.dmp

Filesize
448KB

Download
memory/1560-3-0x00007FF9FB7D3000-0x00007FF9FB7D5000-memory.dmp

Filesize
8KB

Download
memory/1560-59-0x00007FF9FB7D0000-0x00007FF9FC291000-memory.dmp

Filesize
10.8MB

Download
memory/1560-56-0x00007FF9FB7D0000-0x00007FF9FC291000-memory.dmp

Filesize
10.8MB

Download
memory/1560-2-0x00007FF9FB7D0000-0x00007FF9FC291000-memory.dmp

Filesize
10.8MB

Download
memory/1560-1-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/3048-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3376-63-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3544-43-0x00007FF9FB7D3000-0x00007FF9FB7D5000-memory.dmp

Filesize
8KB

Download
memory/3544-44-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4176-41-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4176-31-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4176-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4176-11-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4176-10-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4176-9-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4176-8-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads