amadey | eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676

Analysis

max time kernel
74s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
Size

431KB
MD5

4962575a2378d5c72e7a836ea766e2ad
SHA1

549964178b12017622d3cbdda6dbfdef0904e7e2
SHA256

eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
SHA512

911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53
SSDEEP

12288:JOKJim5EI9tVEw/JF4+D3q2IMbgiDK7mWasB:Jj9tL8ZMEiDfWb

Score

10^/10

amadey redline 0f3be6 eewx credential_access discovery execution infostealer persistence privilege_escalation pyinstaller spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.10

Botnet

0f3be6

http://185.81.68.147

http://185.81.68.148

Attributes

install_dir
ee29ea508b
install_file
Gxtuum.exe
strings_key
d3a5912ea69ad34a2387af70c8be9e21
url_paths
/7vhfjke3/index.php

/8Fvu5jh4DbS/index.php

rc4.plain

Extracted

Family

redline

Botnet

eewx

185.81.68.147:1912

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4eb-144.dat	family_redline
behavioral1/memory/1748-183-0x0000000000A70000-0x0000000000AC2000-memory.dmp	family_redline
behavioral1/memory/916-228-0x0000000000320000-0x0000000000372000-memory.dmp	family_redline

Redline family
redline

Blocklisted process makes network request 8 IoCs

flow	pid	Process
9	3060	rundll32.exe
10	3060	rundll32.exe
13	2272	rundll32.exe
14	2272	rundll32.exe
22	1500	rundll32.exe
23	1500	rundll32.exe
30	2420	rundll32.exe
31	2420	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
2332	Gxtuum.exe
1480	update.exe
1516	update.exe
2344	62D8.tmp.ctx.exe
1748	651A.tmp.ssg.exe
2852	62D8.tmp.ctx.exe
868	6A3B.tmp.gfx.exe
916	ssg.exe

Loads dropped DLL 54 IoCs

pid	Process
1172	eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
1668	rundll32.exe
1668	rundll32.exe
1668	rundll32.exe
1668	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3040	rundll32.exe
3040	rundll32.exe
3040	rundll32.exe
3040	rundll32.exe
2272	rundll32.exe
2272	rundll32.exe
2272	rundll32.exe
2272	rundll32.exe
2332	Gxtuum.exe
2332	Gxtuum.exe
2332	Gxtuum.exe
2332	Gxtuum.exe
1500	rundll32.exe
1500	rundll32.exe
1500	rundll32.exe
1500	rundll32.exe
1248	Explorer.EXE
2344	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2852	62D8.tmp.ctx.exe
2332	Gxtuum.exe
2420	rundll32.exe
2420	rundll32.exe
2420	rundll32.exe
2420	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\947F56A1214D291931458\\947F56A1214D291931458.exe"	update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\947F56A1214D291931458\\947F56A1214D291931458.exe"	update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2212	powershell.exe
1728	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000500000001a4d9-126.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	651A.tmp.ssg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2304	netsh.exe
1700	netsh.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
2212	powershell.exe
2272	rundll32.exe
2272	rundll32.exe
2272	rundll32.exe
2272	rundll32.exe
2272	rundll32.exe
2272	rundll32.exe
1728	powershell.exe
1480	update.exe
1248	Explorer.EXE
1748	651A.tmp.ssg.exe
1748	651A.tmp.ssg.exe
916	ssg.exe
1748	651A.tmp.ssg.exe
916	ssg.exe
916	ssg.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeIncreaseQuotaPrivilege	1480	update.exe
Token: SeSecurityPrivilege	1480	update.exe
Token: SeTakeOwnershipPrivilege	1480	update.exe
Token: SeLoadDriverPrivilege	1480	update.exe
Token: SeSystemProfilePrivilege	1480	update.exe
Token: SeSystemtimePrivilege	1480	update.exe
Token: SeProfSingleProcessPrivilege	1480	update.exe
Token: SeIncBasePriorityPrivilege	1480	update.exe
Token: SeCreatePagefilePrivilege	1480	update.exe
Token: SeBackupPrivilege	1480	update.exe
Token: SeRestorePrivilege	1480	update.exe
Token: SeShutdownPrivilege	1480	update.exe
Token: SeDebugPrivilege	1480	update.exe
Token: SeSystemEnvironmentPrivilege	1480	update.exe
Token: SeRemoteShutdownPrivilege	1480	update.exe
Token: SeUndockPrivilege	1480	update.exe
Token: SeManageVolumePrivilege	1480	update.exe
Token: 33	1480	update.exe
Token: 34	1480	update.exe
Token: 35	1480	update.exe
Token: SeDebugPrivilege	1480	update.exe
Token: SeIncreaseQuotaPrivilege	1516	update.exe
Token: SeSecurityPrivilege	1516	update.exe
Token: SeTakeOwnershipPrivilege	1516	update.exe
Token: SeLoadDriverPrivilege	1516	update.exe
Token: SeSystemProfilePrivilege	1516	update.exe
Token: SeSystemtimePrivilege	1516	update.exe
Token: SeProfSingleProcessPrivilege	1516	update.exe
Token: SeIncBasePriorityPrivilege	1516	update.exe
Token: SeCreatePagefilePrivilege	1516	update.exe
Token: SeBackupPrivilege	1516	update.exe
Token: SeRestorePrivilege	1516	update.exe
Token: SeShutdownPrivilege	1516	update.exe
Token: SeDebugPrivilege	1516	update.exe
Token: SeSystemEnvironmentPrivilege	1516	update.exe
Token: SeRemoteShutdownPrivilege	1516	update.exe
Token: SeUndockPrivilege	1516	update.exe
Token: SeManageVolumePrivilege	1516	update.exe
Token: 33	1516	update.exe
Token: 34	1516	update.exe
Token: 35	1516	update.exe
Token: SeDebugPrivilege	916	ssg.exe
Token: SeDebugPrivilege	1748	651A.tmp.ssg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1172	eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2332	1172	eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe	30
PID 1172 wrote to memory of 2332	1172	eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe	30
PID 1172 wrote to memory of 2332	1172	eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe	30
PID 1172 wrote to memory of 2332	1172	eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe	30
PID 2332 wrote to memory of 1668	2332	Gxtuum.exe	32
PID 2332 wrote to memory of 1668	2332	Gxtuum.exe	32
PID 2332 wrote to memory of 1668	2332	Gxtuum.exe	32
PID 2332 wrote to memory of 1668	2332	Gxtuum.exe	32
PID 2332 wrote to memory of 1668	2332	Gxtuum.exe	32
PID 2332 wrote to memory of 1668	2332	Gxtuum.exe	32
PID 2332 wrote to memory of 1668	2332	Gxtuum.exe	32
PID 1668 wrote to memory of 3060	1668	rundll32.exe	33
PID 1668 wrote to memory of 3060	1668	rundll32.exe	33
PID 1668 wrote to memory of 3060	1668	rundll32.exe	33
PID 1668 wrote to memory of 3060	1668	rundll32.exe	33
PID 3060 wrote to memory of 1700	3060	rundll32.exe	34
PID 3060 wrote to memory of 1700	3060	rundll32.exe	34
PID 3060 wrote to memory of 1700	3060	rundll32.exe	34
PID 3060 wrote to memory of 2212	3060	rundll32.exe	36
PID 3060 wrote to memory of 2212	3060	rundll32.exe	36
PID 3060 wrote to memory of 2212	3060	rundll32.exe	36
PID 2332 wrote to memory of 3040	2332	Gxtuum.exe	38
PID 2332 wrote to memory of 3040	2332	Gxtuum.exe	38
PID 2332 wrote to memory of 3040	2332	Gxtuum.exe	38
PID 2332 wrote to memory of 3040	2332	Gxtuum.exe	38
PID 2332 wrote to memory of 3040	2332	Gxtuum.exe	38
PID 2332 wrote to memory of 3040	2332	Gxtuum.exe	38
PID 2332 wrote to memory of 3040	2332	Gxtuum.exe	38
PID 3040 wrote to memory of 2272	3040	rundll32.exe	39
PID 3040 wrote to memory of 2272	3040	rundll32.exe	39
PID 3040 wrote to memory of 2272	3040	rundll32.exe	39
PID 3040 wrote to memory of 2272	3040	rundll32.exe	39
PID 2272 wrote to memory of 2304	2272	rundll32.exe	40
PID 2272 wrote to memory of 2304	2272	rundll32.exe	40
PID 2272 wrote to memory of 2304	2272	rundll32.exe	40
PID 2272 wrote to memory of 1728	2272	rundll32.exe	42
PID 2272 wrote to memory of 1728	2272	rundll32.exe	42
PID 2272 wrote to memory of 1728	2272	rundll32.exe	42
PID 2332 wrote to memory of 1480	2332	Gxtuum.exe	44
PID 2332 wrote to memory of 1480	2332	Gxtuum.exe	44
PID 2332 wrote to memory of 1480	2332	Gxtuum.exe	44
PID 2332 wrote to memory of 1480	2332	Gxtuum.exe	44
PID 1480 wrote to memory of 1248	1480	update.exe	21
PID 2332 wrote to memory of 1516	2332	Gxtuum.exe	45
PID 2332 wrote to memory of 1516	2332	Gxtuum.exe	45
PID 2332 wrote to memory of 1516	2332	Gxtuum.exe	45
PID 2332 wrote to memory of 1516	2332	Gxtuum.exe	45
PID 2332 wrote to memory of 1500	2332	Gxtuum.exe	46
PID 2332 wrote to memory of 1500	2332	Gxtuum.exe	46
PID 2332 wrote to memory of 1500	2332	Gxtuum.exe	46
PID 2332 wrote to memory of 1500	2332	Gxtuum.exe	46
PID 2332 wrote to memory of 1500	2332	Gxtuum.exe	46
PID 2332 wrote to memory of 1500	2332	Gxtuum.exe	46
PID 2332 wrote to memory of 1500	2332	Gxtuum.exe	46
PID 1248 wrote to memory of 2344	1248	Explorer.EXE	47
PID 1248 wrote to memory of 2344	1248	Explorer.EXE	47
PID 1248 wrote to memory of 2344	1248	Explorer.EXE	47
PID 1248 wrote to memory of 1748	1248	Explorer.EXE	48
PID 1248 wrote to memory of 1748	1248	Explorer.EXE	48
PID 1248 wrote to memory of 1748	1248	Explorer.EXE	48
PID 1248 wrote to memory of 1748	1248	Explorer.EXE	48
PID 2344 wrote to memory of 2852	2344	62D8.tmp.ctx.exe	49
PID 2344 wrote to memory of 2852	2344	62D8.tmp.ctx.exe	49
PID 2344 wrote to memory of 2852	2344	62D8.tmp.ctx.exe	49

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
  "C:\Users\Admin\AppData\Local\Temp\eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
    "C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1700
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\703099537420_Desktop.zip' -CompressionLevel Optimal
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2304
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\703099537420_Desktop.zip' -CompressionLevel Optimal
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\10000820101\update.exe
      "C:\Users\Admin\AppData\Local\Temp\10000820101\update.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\10000830101\update.exe
      "C:\Users\Admin\AppData\Local\Temp\10000830101\update.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe
      "C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:916
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2420
- C:\Users\Admin\AppData\Local\Temp\62D8.tmp.ctx.exe
  "C:\Users\Admin\AppData\Local\Temp\62D8.tmp.ctx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\62D8.tmp.ctx.exe
    "C:\Users\Admin\AppData\Local\Temp\62D8.tmp.ctx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2852
- C:\Users\Admin\AppData\Local\Temp\651A.tmp.ssg.exe
  "C:\Users\Admin\AppData\Local\Temp\651A.tmp.ssg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\6A3B.tmp.gfx.exe
  "C:\Users\Admin\AppData\Local\Temp\6A3B.tmp.gfx.exe"
  2⤵
  - Executes dropped EXE
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10000820101\update.exe

Filesize
301KB

MD5
dd1e3f38ae7711d270748012af613950

SHA1
b3b90eec3507f523aa63802cc16e5248c8ef0ea8

SHA256
2997292293c332e73b11fa28126b6fbefea75a6bb02001eb017de46797d4e4ec

SHA512
0eff0cba972b6622fb59683fe4d15d1b6c1ef106166189f60dcd7b4c76b6ceb82fd5c71433dc61394f03eff03575f2be27dec6ac8ab064491710263879b11bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\651A.tmp.ssg.exe

Filesize
300KB

MD5
7b6730ca4da283a35c41b831b9567f15

SHA1
92ef2fd33f713d72207209ec65f0de6eef395af5

SHA256
94d7d12ae53ce97f38d8890383c2317ce03d45bd6ecaf0e0b9165c7066cd300c

SHA512
ae2d10f9895e5f2af10b4fa87cdb7c930a531e910b55cd752b15dac77a432cc28eca6e5b32b95eeb21e238aaf2eb57e29474660cae93e734d0b6543c1d462ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\703099537420

Filesize
74KB

MD5
a7f1e5c79680dfd6a1cb70dfbe1c142e

SHA1
8ac7b838e4ecb568ae8b0e4540ed1eb371ed08d5

SHA256
071389be18573db55189f402954c2e163e622cf0ff09bbec8ddeb728d2137f73

SHA512
0da53cf7022630403c10e78e7dbb9b46a1fe104a6cd4e9c2cf49a77a9d09f15ce836f20f1bfa80089868e7a96032c612e497e52efac5d131629621fe99188eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\RegisterRead.xlsx

Filesize
13KB

MD5
682d6ab0f6936e8c74e0c55089807b23

SHA1
e3d8809b72787cd635f2db4d4333b446d3bccbf6

SHA256
8aefc8e0a1572fa901cccad227cd0e222def86d477431d1b2663f4b420c93a6b

SHA512
9ddb906344f6e676f9205e9352057ceabd306874caba1d8f7bc630fe0ad193ada83f7f95dba3950705d453ad32b584cd691a0a298c7486728f951dc34590edc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
f0c73f7454a5ce6fb8e3d795fdb0235d

SHA1
acdd6c5a359421d268b28ddf19d3bcb71f36c010

SHA256
2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

SHA512
bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
1d75e7b9f68c23a195d408cf02248119

SHA1
62179fc9a949d238bb221d7c2f71ba7c1680184c

SHA256
67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b

SHA512
c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
d6ad0f2652460f428c0e8fc40b6f6115

SHA1
1a5152871abc5cf3d4868a218de665105563775e

SHA256
4ef09fa6510eeebb4855b6f197b20a7a27b56368c63cc8a3d1014fa4231ab93a

SHA512
ceafeee932919bc002b111d6d67b7c249c85d30da35dfbcebd1f37db51e506ac161e4ee047ff8f7bf0d08da6a7f8b97e802224920bd058f8e790e6fa0ee48b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
eab486e4719b916cad05d64cd4e72e43

SHA1
876c256fb2aeb0b25a63c9ee87d79b7a3c157ead

SHA256
05fe96faa8429992520451f4317fbceba1b17716fa2caf44ddc92ede88ce509d

SHA512
c50c3e656cc28a2f4f6377ba24d126bdc248a3125dca490994f8cace0a4903e23346ae937bb5b0a333f7d39ece42665ae44fde2fd5600873489f3982151a0f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
21b509d048418922b92985696710afca

SHA1
c499dd098aab8c7e05b8b0fd55f994472d527203

SHA256
fe7336d2fb3b13a00b5b4ce055a84f0957daefdace94f21b88e692e54b678ac3

SHA512
c517b02d4e94cf8360d98fd093bca25e8ae303c1b4500cf4cf01f78a7d7ef5f581b99a0371f438c6805a0b3040a0e06994ba7b541213819bd07ec8c6251cb9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
f22faca49e4d5d80ec26ed31e7ecd0e0

SHA1
473bcbfb78e6a63afd720b5cbe5c55d9495a3d88

SHA256
1eb30ea95dae91054a33a12b1c73601518d28e3746db552d7ce120da589d4cf4

SHA512
c8090758435f02e3659d303211d78102c71754ba12b0a7e25083fd3529b3894dc3ab200b02a2899418cc6ed3b8f483d36e6c2bf86ce2a34e5fd9ad0483b73040

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\ucrtbase.dll

Filesize
1021KB

MD5
4e326feeb3ebf1e3eb21eeb224345727

SHA1
f156a272dbc6695cc170b6091ef8cd41db7ba040

SHA256
3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

SHA512
be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

Download Submit
C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll

Filesize
124KB

MD5
c2f3fbbbe6d5f48a71b6b168b1485866

SHA1
1cd56cfc2dc07880b65bd8a1f5b7147633f5d553

SHA256
c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839

SHA512
e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a

Download Submit
C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll

Filesize
1.2MB

MD5
c6aabb27450f1a9939a417e86bf53217

SHA1
b8ef3bb7575139fd6997379415d7119e452b5fc4

SHA256
b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35

SHA512
e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RSEKPAES06CNQ1OF8776.temp

Filesize
7KB

MD5
fccc67c6f3b882c4f8f0548038c4c60f

SHA1
6c46cc257653b61ff5cad48421ecc7ae5692c53c

SHA256
eef35c824de1172503c3766e92d05115df048bdcc64eb8369ca39fddd666e859

SHA512
ce37c64c167c755e6399e442d9647807ff50f34f152ab83c1da1b260a4f8d92b62acabc93534004df122d29db09998196e440c13a9778e1789414c776be9a4b9

Download Submit
\Users\Admin\AppData\Local\Temp\62D8.tmp.ctx.exe

Filesize
5.6MB

MD5
ae2a4249c8389603933df4f806546c96

SHA1
a71ad1c875e0282b84451095e01d9c1709129643

SHA256
cbe157a18df07d512f3e4939d048f6419163892bf0cc5d5694eaadc7809d2477

SHA512
1c40ef124087b8ff3b66ddbcdbef1cd7ffcd112d137dbf0a5ff3b636642cae35b8d4f12eb38506da86ab81984edd6552dc395f072fed37d120daf064ba468cd2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23442\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
7d4d4593b478b4357446c106b64e61f8

SHA1
8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

SHA256
0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

SHA512
7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

Download Submit
\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe

Filesize
431KB

MD5
4962575a2378d5c72e7a836ea766e2ad

SHA1
549964178b12017622d3cbdda6dbfdef0904e7e2

SHA256
eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676

SHA512
911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53

Download Submit
memory/916-228-0x0000000000320000-0x0000000000372000-memory.dmp

Filesize
328KB

Download
memory/1172-1-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1248-90-0x0000000002D10000-0x0000000002D56000-memory.dmp

Filesize
280KB

Download
memory/1248-92-0x0000000002D10000-0x0000000002D56000-memory.dmp

Filesize
280KB

Download
memory/1248-94-0x0000000002DB0000-0x0000000002E03000-memory.dmp

Filesize
332KB

Download
memory/1728-64-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/1728-63-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1748-183-0x0000000000A70000-0x0000000000AC2000-memory.dmp

Filesize
328KB

Download
memory/2212-38-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2212-37-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download