amadey | d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202

Analysis

max time kernel
292s
max time network
291s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe
Size

1.8MB
MD5

d6c514c703aa1d130ac85dd4bfd9a4c4
SHA1

6458716c01788bc169105188f7c0c97dcb041290
SHA256

d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202
SHA512

549987e06fef44d5a0185914580b0fcf02dfe5237d02bd422c29e36492dc71e204d57b794f4df74afdc3aa854422eec66fc3d4f6a4eb22caaf986b24dbc7ea2a
SSDEEP

24576:I2XMSZC8uy6Uz242SVs9VtyZ+H6WDAuyJgFO93WJI6b8UKexOoAokZoKs5JIA5k3:5XKqz2f8duyJhRWJhRAokCXrkYbryJ

Score

10^/10

amadey e76b71 evasion trojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exed73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 6 IoCs

Processes:

axplong.exegold.exelummac2.exeNewLatest.exeHkbsse.exelegs.exe

pid process

2896 axplong.exe
1520 gold.exe
1256 lummac2.exe
264 NewLatest.exe
1976 Hkbsse.exe
696 legs.exe

pid	process
2896	axplong.exe
1520	gold.exe
1256	lummac2.exe
264	NewLatest.exe
1976	Hkbsse.exe
696	legs.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exed73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine	d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe

Loads dropped DLL 13 IoCs

Processes:

d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exeaxplong.exeWerFault.exeNewLatest.exeWerFault.exe

pid	process
2312	d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe
2896	axplong.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe
2896	axplong.exe
2896	axplong.exe
2896	axplong.exe
264	NewLatest.exe
2896	axplong.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

29 raw.githubusercontent.com
30 raw.githubusercontent.com
33 raw.githubusercontent.com
34 raw.githubusercontent.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exeaxplong.exe

pid process

2312 d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe
2896 axplong.exe
Drops file in Windows directory 2 IoCs

Processes:

d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exeNewLatest.exe

description ioc process

File created C:\Windows\Tasks\axplong.job d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe
File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1876 1520 WerFault.exe gold.exe
1304 696 WerFault.exe legs.exe

flow	ioc
29	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
34	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe

pid	pid_target	process	target process
1876	1520	WerFault.exe	gold.exe
1304	696	WerFault.exe	legs.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

axplong.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exeaxplong.exe

pid process

2312 d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe
2896 axplong.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exeNewLatest.exe

pid process

2312 d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe
264 NewLatest.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exeaxplong.exegold.exeNewLatest.exelegs.exe

description	pid	process	target process
PID 2312 wrote to memory of 2896	2312	d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe	axplong.exe
PID 2312 wrote to memory of 2896	2312	d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe	axplong.exe
PID 2312 wrote to memory of 2896	2312	d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe	axplong.exe
PID 2312 wrote to memory of 2896	2312	d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe	axplong.exe
PID 2896 wrote to memory of 1520	2896	axplong.exe	gold.exe
PID 2896 wrote to memory of 1520	2896	axplong.exe	gold.exe
PID 2896 wrote to memory of 1520	2896	axplong.exe	gold.exe
PID 2896 wrote to memory of 1520	2896	axplong.exe	gold.exe
PID 1520 wrote to memory of 1876	1520	gold.exe	WerFault.exe
PID 1520 wrote to memory of 1876	1520	gold.exe	WerFault.exe
PID 1520 wrote to memory of 1876	1520	gold.exe	WerFault.exe
PID 1520 wrote to memory of 1876	1520	gold.exe	WerFault.exe
PID 2896 wrote to memory of 1256	2896	axplong.exe	lummac2.exe
PID 2896 wrote to memory of 1256	2896	axplong.exe	lummac2.exe
PID 2896 wrote to memory of 1256	2896	axplong.exe	lummac2.exe
PID 2896 wrote to memory of 1256	2896	axplong.exe	lummac2.exe
PID 2896 wrote to memory of 264	2896	axplong.exe	NewLatest.exe
PID 2896 wrote to memory of 264	2896	axplong.exe	NewLatest.exe
PID 2896 wrote to memory of 264	2896	axplong.exe	NewLatest.exe
PID 2896 wrote to memory of 264	2896	axplong.exe	NewLatest.exe
PID 264 wrote to memory of 1976	264	NewLatest.exe	Hkbsse.exe
PID 264 wrote to memory of 1976	264	NewLatest.exe	Hkbsse.exe
PID 264 wrote to memory of 1976	264	NewLatest.exe	Hkbsse.exe
PID 264 wrote to memory of 1976	264	NewLatest.exe	Hkbsse.exe
PID 2896 wrote to memory of 696	2896	axplong.exe	legs.exe
PID 2896 wrote to memory of 696	2896	axplong.exe	legs.exe
PID 2896 wrote to memory of 696	2896	axplong.exe	legs.exe
PID 2896 wrote to memory of 696	2896	axplong.exe	legs.exe
PID 696 wrote to memory of 1304	696	legs.exe	WerFault.exe
PID 696 wrote to memory of 1304	696	legs.exe	WerFault.exe
PID 696 wrote to memory of 1304	696	legs.exe	WerFault.exe
PID 696 wrote to memory of 1304	696	legs.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe
"C:\Users\Admin\AppData\Local\Temp\d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2312

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 84
4⤵
- Loads dropped DLL
- Program crash
PID:1876

C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
3⤵
- Executes dropped EXE
PID:1256

C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:264

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
PID:1976

C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 64
4⤵
- Loads dropped DLL
- Program crash
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe
Filesize
128KB

MD5
2b8afb3e99982119ec69ffacd467a239

SHA1
e74ee19d763cea84c759b2a2f9a86fc65da88dff

SHA256
5e3d68aa4ec69f0ba7f08182a5459e27aacf22bba3de505db85ba1f775aa8f99

SHA512
4f13d023c07d50f4155e075f1107e9a2defe1da82eb275462ea486746e7979fca25e0dbc03f176cad4449ee174599dd0ba60e74793afe16c1c2a0e735ab2bbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
Filesize
659KB

MD5
bbd06263062b2c536b5caacdd5f81b76

SHA1
c38352c1c08fb0fa5e67a079998ef30ebc962089

SHA256
1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9

SHA512
7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe
Filesize
1.8MB

MD5
858a2d36fed6580cba91ae1fe51d3e98

SHA1
90d0951a11e33d594d1c3c18308962970392e828

SHA256
46a795d82030b7a68ffc67bbd5a89fbc1116605870309909e34a9208db607999

SHA512
eb3ded32781ab643b210635ae22541e0a152e6fab9077480a7b910169d5e0dc57f7b0cdfbabf0052d7bf8101287fdf1a4089c1b97f269497a19073d227dd5209

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF51A.tmp
Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1935.tmp
Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
d6c514c703aa1d130ac85dd4bfd9a4c4

SHA1
6458716c01788bc169105188f7c0c97dcb041290

SHA256
d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202

SHA512
549987e06fef44d5a0185914580b0fcf02dfe5237d02bd422c29e36492dc71e204d57b794f4df74afdc3aa854422eec66fc3d4f6a4eb22caaf986b24dbc7ea2a

Download Submit
memory/1520-50-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1520-52-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2312-5-0x00000000009B0000-0x0000000000E80000-memory.dmp

Filesize
4.8MB

Download
memory/2312-14-0x00000000009B0000-0x0000000000E80000-memory.dmp

Filesize
4.8MB

Download
memory/2312-0-0x00000000009B0000-0x0000000000E80000-memory.dmp

Filesize
4.8MB

Download
memory/2312-15-0x00000000065B0000-0x0000000006A80000-memory.dmp

Filesize
4.8MB

Download
memory/2312-3-0x00000000009B0000-0x0000000000E80000-memory.dmp

Filesize
4.8MB

Download
memory/2312-2-0x00000000009B1000-0x00000000009DF000-memory.dmp

Filesize
184KB

Download
memory/2312-1-0x0000000077380000-0x0000000077382000-memory.dmp

Filesize
8KB

Download
memory/2896-23-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-249-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-25-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-51-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-24-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-22-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-85-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-21-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-127-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-18-0x0000000001141000-0x000000000116F000-memory.dmp

Filesize
184KB

Download
memory/2896-146-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-147-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-148-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-197-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-246-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-247-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-248-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-26-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-250-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-19-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-267-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-268-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-269-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-270-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-271-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-272-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-273-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-17-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-284-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-285-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-334-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-431-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-432-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-433-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download
memory/2896-434-0x0000000001140000-0x0000000001610000-memory.dmp

Filesize
4.8MB

Download