Overview

overview

10

Static

static

10

quarantine...YX.exe

windows7-x64

8

quarantine...YX.exe

windows10-2004-x64

8

quarantine...dC.exe

windows7-x64

3

quarantine...dC.exe

windows10-2004-x64

7

quarantine...4U.exe

windows7-x64

7

quarantine...4U.exe

windows10-2004-x64

7

quarantine...Un.exe

windows7-x64

1

quarantine...Un.exe

windows10-2004-x64

1

quarantine...Gw.msi

windows7-x64

6

quarantine...Gw.msi

windows10-2004-x64

6

quarantine...pL.exe

windows7-x64

9

quarantine...pL.exe

windows10-2004-x64

9

quarantine...wS.exe

windows7-x64

10

quarantine...wS.exe

windows10-2004-x64

10

quarantine...au.exe

windows7-x64

10

quarantine...au.exe

windows10-2004-x64

10

quarantine...Ms.exe

windows7-x64

10

quarantine...Ms.exe

windows10-2004-x64

10

quarantine...mH.exe

windows7-x64

10

quarantine...mH.exe

windows10-2004-x64

10

quarantine...MX.exe

windows7-x64

3

quarantine...MX.exe

windows10-2004-x64

7

quarantine...Ll.exe

windows7-x64

9

quarantine...Ll.exe

windows10-2004-x64

9

quarantine...er.exe

windows7-x64

10

quarantine...er.exe

windows10-2004-x64

10

quarantine/pwldr.exe

windows7-x64

6

quarantine/pwldr.exe

windows10-2004-x64

6

quarantine...Mc.exe

windows7-x64

10

quarantine...Mc.exe

windows10-2004-x64

10

quarantine...s9.exe

windows7-x64

3

quarantine...s9.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    quarantine.7z

  • Size

    54.3MB

  • Sample

    250225-19r79a1jy2

  • MD5

    08658fd5f0b29be1f6a4f92db578a755

  • SHA1

    5eec40ab8aafccf860be38dfb2dab228c4060277

  • SHA256

    cc95c0db419de3ca25709f4c1abc74ebdb72947b1d4d7e35b4ab6c36ffdee484

  • SHA512

    2bd83fe29e3022236c5ffba7301fef53600ed4daf82462d4af23df9e98da6d6da09aaa7982805f20d4b28c4d4d9d4fe55093a4c9eaf99d107429fb60faf004ab

  • SSDEEP

    786432:AYaaWRRPYcd9pW4cJXNeWvOPrXKqgluMDOhxk+bQGzTG9JvwuUhRcj5uT68vnWqS:AqW4gWlmD2FDaQUKJvwB+ITfFIpL

Score
10/10
amadeylummasystembcvidarxworm092155a4d2cdir7amcredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

xworm

C2

37.235.55.68:1987

abolhb.com:5050
Attributes
  • install_file

    USB.exe

aes.plain
aes.plain

Extracted

Family

lumma

C2

https://paleboreei.biz/api

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

C2

http://cobolrationumelawrtewarms.com

http://�������� jlgenfekjlfnvtgpegkwr.xyz
Attributes
  • install_dir

    a58456755d

  • install_file

    Gxtuum.exe

  • strings_key

    00fadbeacf092dfd58b48ef4ac68f826

  • url_paths

    /3ofn3jf3e2ljk/index.php

rc4.plain

Extracted

Family

systembc

C2

towerbingobongoboom.com

93.186.202.3
Attributes
  • dns

    5.132.191.104

Extracted

Family

vidar

Botnet

ir7am

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Targets

    • Target

      quarantine/0iMSdYX.exe

    • Size

      10.2MB

    • MD5

      6e17c374e3828297ad1b8e40b3809c0c

    • SHA1

      44a28a2765149422d8384cda169c1cff77dee40c

    • SHA256

      fca0a09f36e3113cb76d31db06e30dc531a59556e237965ed0a7ebf33ffce11f

    • SHA512

      85426da583c9767ca6ddcfbac76b3e974ae10f6f93366a2e8f955fd1cffcaf016d16e380287eb2533a723283fa3134aca1327e1a79668fba314747fde5807032

    • SSDEEP

      196608:kncSogFdzTL3k2lY4VtuI3A6GxWZhg68PwTsjiCxLI15aDCQVg4fx:dcTL3k2lYUs768IQxLWsDCQVZx

    Score
    8/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      quarantine/6NPpGdC.exe

    • Size

      339KB

    • MD5

      75728febe161947937f82f0f36ad99f8

    • SHA1

      d2b5a4970b73e03bd877b075bac0cdb3bfc510cf

    • SHA256

      0a88c347a294b22b6d6554b711db339bca86c568863dec7844a2badec6ef4282

    • SHA512

      7cfdf76b959895ae44abe4171662d9c6c28dfd444030d570fea0fa4f624adf226e35d655dd89b159a1e0d08bcd97dfe899c3646d7682aacf5f2dabfbdf3d9a67

    • SSDEEP

      6144:WHYaosINWXFGYJabd0UyB8kOKWAKo1Ze7OwEK/MNt8lEdgxbuZm/uPEMCfwoZH:WHH9INsFF4R0UyBSKW0lK/MNWqdgJuYP

    Score
    7/10
    discoveryspywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      quarantine/8NsQP4U.exe

    • Size

      818KB

    • MD5

      867903a3686f5cc6f5b9127cdfde51c7

    • SHA1

      c5ae9fb62c4d05b230066191f8edf91dc8fa986a

    • SHA256

      b2370b04f1b422b817299a8e6e17e30d60583b443f5923479462d2823a929706

    • SHA512

      0d54991e4efe890a8603d9c30b279a311a944379634abf626fb985d9212c3b486aef4d8a721104bd25dd3c55c4d59dc0ecdf2ac98c1edd826eaee7f098892680

    • SSDEEP

      24576:qkZLFhZd93PblKUNWt4Y4d93PblKUNWt4YZ:3FhzZPhKUNeSZPhKUNeZ

    Score
    7/10
    discoveryspywarestealer

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      quarantine/Cv5YtUn.exe

    • Size

      1.6MB

    • MD5

      765bdc0f8bc0d77f7414e7a36ae45fd9

    • SHA1

      c303968d61bfeb154a110549217d40bbdaa7439c

    • SHA256

      aa8f8a3e268493157e62d93ab9cafb94573606fe43a80e63e3e4f2e5c9b22a5b

    • SHA512

      5bb1267c5f4b7dc67d7da75af08ce616d5f518ea5469443ded642c2c7410256b370d1b01c355191ae9df8cb3e56ce31910ff153761787aad054148b12add5718

    • SSDEEP

      49152:rKha/+cyVQ15lPzJkSnQOYnwOiYlBA7KVO3QTmdQQ:rPJNoBUKkemdJ

    Score
    1/10
    behavioral7behavioral8

    • Target

      quarantine/DeX17Gw.msi

    • Size

      11.5MB

    • MD5

      1e0d87c4ec6132d5bf05afabaa7f4aef

    • SHA1

      15f97b6a70aa5e4a2c7ad0fc2d09b55cb2afee89

    • SHA256

      6305d0fa3c60de876cab18e33f607ec51a2a6f9a8fc9f972951eeead35a69abe

    • SHA512

      17514bd13709e734acb161650700634d5c93ea487aa753c992d5eb2ce2fb7917e4bdfb5da199d913310acc6bdac96ff5d7108b67b6db2d3cd963ed99c4aaf2ad

    • SSDEEP

      196608:a6eKvNR5eaFhnO6S+eydkQeoAVVJAeBbfWRuWlT6mqjLMZ+O6cP4vTHiZ9gnqa0:a67X5eUHSZQZAu3Ea3qnRXLiInqrx

    Score
    6/10
    discoverypersistenceprivilege_escalation

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral10behavioral9

    • Target

      quarantine/E3WGlpL.exe

    • Size

      2.9MB

    • MD5

      522da810421341bcb17cbbc6c3a5b985

    • SHA1

      400ac9b327e8b78c1d6171c95248bd527cf8adef

    • SHA256

      4fdde450218490a8708204630aa45ab49241504d84bce8309319ab7b41f669b0

    • SHA512

      46f49554ea5096a3fb47efa2421ef1c7b35dbec3519c28eb74bd3705a2366e54e946909c043b46477c00f2bacef6e6ffe733c613098763bf8ce56a42fbed36a2

    • SSDEEP

      49152:SDpV8gO7QtA8XJnRSBon8oImv+C9z2spuMQc:cpo8tbXJnRSC8oIm2C7puMj

    Score
    9/10
    defense_evasiondiscoveryspywarestealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11behavioral12

    • Target

      quarantine/JhOTKwS.exe

    • Size

      2.1MB

    • MD5

      8940bae456acc0c645a7214d5dbea2e0

    • SHA1

      2fa738795294f52d17aa11d82e9196627e9e6a59

    • SHA256

      87e091406c822e25163cf36de51112a543d191786890c82fa6580fca7cb3ac92

    • SHA512

      4cba088bbd234129344171baa4e027a36ffa058a511ad0c5624fb9cedee88282d9176a00159539b55ada662ca2b7340b3deed27e6af256f315f888514380e8c5

    • SSDEEP

      49152:nEg8nw5HlVc2wz6NtZ1ouOTLLWm/GZm3OEq:nE05FVcH63PFOTLCHm3O

    Score
    10/10
    xwormdiscoveryratspywarestealertrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      quarantine/MegVlau.exe

    • Size

      349KB

    • MD5

      936f4b47e08ca09483ca85f7b901eb0f

    • SHA1

      3b44a49e818bbbbafe8a5a41ef6a055c9e9200fd

    • SHA256

      fad4e974cc163c386e77091efb9bbffab7f5ea4559c111baaee9954f8b3e3ce1

    • SHA512

      62e29469021d17c0bf28548265911bb28148ca2602e0b237183e08d4b7681a1031d2600a8518e6effd38a63ba0220d7aa926edcfdd6d8ecf26968418d20b9cef

    • SSDEEP

      6144:3HYaosINWXFGYJabd0UyB8kOKWAKo1Ze7OwEK/MNt8lEdgxbuZm/uPEtCfwoZIEO:3HH9INsFF4R0UyBSKW0lK/MNWqdgJuY5

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      quarantine/Q7t2AMs.exe

    • Size

      1.8MB

    • MD5

      e3db5749715032f09380e2b83170df85

    • SHA1

      5eba9270b0a48ffda040d10e08aef49acbb4452d

    • SHA256

      0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe

    • SHA512

      682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199

    • SSDEEP

      49152:piz+b/M/T/XsCWYkr+Sah/lROSwrk9CUMeUz:piCb2/XsLrPCOd4g/x

    Score
    10/10
    amadeysystembca4d2cddefense_evasiondiscoverytrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Systembc family

      systembc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17behavioral18

    • Target

      quarantine/RHPLumH.exe

    • Size

      4.0MB

    • MD5

      8d0868398de40e6e16a7c541f07e5e09

    • SHA1

      f234a679a7888427b3d78d2c56fc1fc60e84bb78

    • SHA256

      d3477c131aada6b4af6ac738bc3d2d08785d5b8c981e92e621013b4653c651bb

    • SHA512

      c134a2e9545d136716e56adba8efd9cd7c21ac4b2948efe7d482708474e1b00117382093f90ea51af72d93787cff07c490b917afa6918d4537a2b7687cbab86c

    • SSDEEP

      49152:H2LAgJxIJTN03QaiX1OOM2b9Ndt9NdtvcA:fAIpN039q1OOM24

    Score
    10/10
    xwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      quarantine/Yg1HwMX.exe

    • Size

      7.0MB

    • MD5

      2f17f726e2068521a858d0caa2f0a1a0

    • SHA1

      48357a59c84c8976b87c35ff76d916c4a6c64596

    • SHA256

      98dfaf81e8d95d883d12555caaa38a034c724b1fde76a03b64103cc673a45d84

    • SHA512

      0e6b98246f289e9b2ec45584fd15ed1b9a538903ae72ef3074ce74987fa8a274b585f414be39348408ef5256ba82e81aaedfb5625f9b7fc1749233747260f68c

    • SSDEEP

      98304:u3q5LCgVvaeHUjftxbAXOANfXmBq/cx9ICsJ59j8sImds54b330FcaUC5hHSgbC+:Hj+KwQW

    Score
    7/10
    discoveryspywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral21behavioral22

    • Target

      quarantine/bgUvqLl.exe

    • Size

      2.8MB

    • MD5

      21cbf1c19605fa8a2dc9cd40990139ca

    • SHA1

      a2c2c891b7f156bbf46428889cec083a4ae1b94c

    • SHA256

      2bed46c8233ce24e911ae5264ffd59ec0932e711c2e5ba8d4171d34684d156ac

    • SHA512

      43fe77ca93a34fdab17e508933c5476b149103320cce0abd44ea5bbe7ab91eec9990c3fce591f0ccd677b375ca74225e45d27638e5459e949cd18d78a61e3e00

    • SSDEEP

      49152:oD51sJEHUYm3NbVVFHQ8nPM0bIY0D0B24eDHVdDma:6sJTYmdbVVFHQsk0bIYPTAHHm

    Score
    9/10
    defense_evasiondiscoveryspywarestealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23behavioral24

    • Target

      quarantine/netdriver.exe

    • Size

      1.7MB

    • MD5

      77c6d4944106ec80bb717043741b57da

    • SHA1

      aa1550acb66847744e99ee1181d8a7c9035f1339

    • SHA256

      686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80

    • SHA512

      b2d7b47a95dafb732d65b7af2131ceb0b60c950c29697f4c07ff21381599558990fa03a9b8fc7dfe1d96787f6adce90b4b916c71cf2f4f32c4b070aae7fcd16a

    • SSDEEP

      49152:2SbpgcpHeCiXhWpshQEQCw+GEeL7p22p3b6I8:2Sbi0e1NyES+GEeg2p3b18

    Score
    10/10
    systembcdefense_evasiondiscoverytrojan

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Systembc family

      systembc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral25behavioral26

    • Target

      quarantine/pwldr.exe

    • Size

      615KB

    • MD5

      4c0b4151abf229e409fea22c7cc35f69

    • SHA1

      bcb7d6a099d08829e984389874df95e1dbf3c41f

    • SHA256

      4fafaa6fe32109ff7f50a1859160bf605e67fe7fe0d55016dcdb450daf904084

    • SHA512

      d36f197d8901841c112958b1fd767ca367761019e1aa08bc54813e7f693a4b6b0a9073e945590124ef2db0c83c3b11fd40c62a215e212470f511de634f13e35d

    • SSDEEP

      12288:il+79fPrgMgm+w7dioulRCQzx3vAO0SogtRV8sxzx4PmD84:ilc9fPrgMgm+sdhulDx/5dRV8Qz2Pp

    Score
    6/10
    persistence
    behavioral27behavioral28

    • Target

      quarantine/q3na5Mc.exe

    • Size

      148KB

    • MD5

      4871c39a4a7c16a4547820b8c749a32c

    • SHA1

      09728bba8d55355e9434305941e14403a8e1ca63

    • SHA256

      8aa3e2705e32e8175242fcf19391ab909037111f19cf5f9953885c911f440453

    • SHA512

      32fa81a1501b727cda79d25159e60ee5c627a8f4db6cbcc741b022d3d6e45c43eeb4fbcd8c8043f71bc23a4a326f66553314384c39c97aaf58b6385d9aac26ec

    • SSDEEP

      3072:9RmS+WQuCw5fp4b/7XHrRKl/OiJeNKUjQsFZy+j6WafP:6vu5fp4Dcl/OMeNfsEjiX

    Score
    10/10
    vidarir7amcredential_accessdiscoveryspywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      quarantine/rA6Gys9.exe

    • Size

      2.0MB

    • MD5

      9f963f569f499ad6c00df38c46cadb48

    • SHA1

      8ca20964db76167eb61c5bba63cf47d2f90d59ac

    • SHA256

      7eb17541df10b37811544073ee47fa730d56b86cab9b42754a813af23dbcf555

    • SHA512

      80b09129b13c7c4f658f78231c39e18a29c501af3db36314c8d9e617bc73a1080be96e8c745b19d89fb94d40f09816c084c0fea170ac5d921931c6124e51f33a

    • SSDEEP

      24576:6N0u8stG/c6QvL4bYsa9UBDnaF4BzIiI2tqDNuf1OhkdCP7ycI9qnTXihjGqHQT+:6PNwsqSusC62dGX7Sjj

    Score
    3/10
    discovery
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Modify Authentication Process

1
T1556

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

5
T1552

Credentials In Files

5
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

9
T1012

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

092155amadey
Score
10/10

behavioral1

execution
Score
8/10

behavioral2

execution
Score
8/10

behavioral3

discovery
Score
3/10

behavioral4

discoveryspywarestealer
Score
7/10

behavioral5

discoveryspywarestealer
Score
7/10

behavioral6

discoveryspywarestealer
Score
7/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

discoverypersistenceprivilege_escalation
Score
6/10

behavioral10

discoverypersistenceprivilege_escalation
Score
6/10

behavioral11

defense_evasiondiscoveryspywarestealer
Score
9/10

behavioral12

defense_evasiondiscoveryspywarestealer
Score
9/10

behavioral13

xwormdiscoveryratspywarestealertrojan
Score
10/10

behavioral14

xwormdiscoveryratspywarestealertrojan
Score
10/10

behavioral15

lummadiscoveryspywarestealer
Score
10/10

behavioral16

lummadiscoveryspywarestealer
Score
10/10

behavioral17

amadeysystembca4d2cddefense_evasiondiscoverytrojan
Score
10/10

behavioral18

amadeysystembca4d2cddefense_evasiondiscoverytrojan
Score
10/10

behavioral19

xwormdiscoveryrattrojan
Score
10/10

behavioral20

xwormdiscoveryrattrojan
Score
10/10

behavioral21

discovery
Score
3/10

behavioral22

discoveryspywarestealer
Score
7/10

behavioral23

defense_evasiondiscoveryspywarestealer
Score
9/10

behavioral24

defense_evasiondiscoveryspywarestealer
Score
9/10

behavioral25

systembcdefense_evasiondiscoverytrojan
Score
10/10

behavioral26

systembcdefense_evasiondiscoverytrojan
Score
10/10

behavioral27

persistence
Score
6/10

behavioral28

persistence
Score
6/10

behavioral29

vidarir7amcredential_accessdiscoveryspywarestealer
Score
10/10

behavioral30

vidarir7amcredential_accessdiscoveryspywarestealer
Score
10/10

behavioral31

discovery
Score
3/10

behavioral32

Score
1/10