amadey | 94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb

Analysis

max time kernel
124s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exe
Size

998KB
MD5

f63be2a9380f5726ec342298f2f16265
SHA1

ae1a96bcb77015e9c16a734167095b1263772ce8
SHA256

94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb
SHA512

48d216da4e2a062aa6bf3123ee8b0f185baf29d0afaa116bed269835c0eff45aa495c079205bf83c0004c3ffd4c465d95b1172f9ba55bcd49dbc7cd868f1a83f
SSDEEP

24576:Cywb72+/Cjy/iQ+bE5Thfnr9dco3dcOdjkfOc8rW:pPPhfw1dnTNtddG

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz8149.exev0885ci.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8149.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0885ci.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0885ci.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0885ci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0885ci.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0885ci.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0885ci.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4680-210-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-211-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-213-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-215-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-217-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-219-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-222-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-225-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-226-0x0000000006310000-0x0000000006320000-memory.dmp	family_redline
behavioral1/memory/4680-229-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-233-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-231-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-235-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-237-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-239-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-241-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-243-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-245-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline
behavioral1/memory/4680-247-0x0000000003A90000-0x0000000003ACF000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y33sG73.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y33sG73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

zap1128.exezap7229.exezap6373.exetz8149.exev0885ci.exew31TP33.exexhNqR16.exey33sG73.exeoneetx.exeoneetx.exe

pid	process
464	zap1128.exe
1580	zap7229.exe
4388	zap6373.exe
4816	tz8149.exe
4128	v0885ci.exe
4680	w31TP33.exe
1692	xhNqR16.exe
1436	y33sG73.exe
2188	oneetx.exe
1532	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4828 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4828	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v0885ci.exetz8149.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0885ci.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0885ci.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8149.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap1128.exezap7229.exezap6373.exe94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1128.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7229.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7229.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap6373.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1128.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3728 4128 WerFault.exe v0885ci.exe
2136 4680 WerFault.exe w31TP33.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3240 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz8149.exev0885ci.exew31TP33.exexhNqR16.exe

pid process

4816 tz8149.exe
4816 tz8149.exe
4128 v0885ci.exe
4128 v0885ci.exe
4680 w31TP33.exe
4680 w31TP33.exe
1692 xhNqR16.exe
1692 xhNqR16.exe

pid	pid_target	process	target process
3728	4128	WerFault.exe	v0885ci.exe
2136	4680	WerFault.exe	w31TP33.exe

pid	process
3240	schtasks.exe

pid	process
4816	tz8149.exe
4816	tz8149.exe
4128	v0885ci.exe
4128	v0885ci.exe
4680	w31TP33.exe
4680	w31TP33.exe
1692	xhNqR16.exe
1692	xhNqR16.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz8149.exev0885ci.exew31TP33.exexhNqR16.exe

description	pid	process
Token: SeDebugPrivilege	4816	tz8149.exe
Token: SeDebugPrivilege	4128	v0885ci.exe
Token: SeDebugPrivilege	4680	w31TP33.exe
Token: SeDebugPrivilege	1692	xhNqR16.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y33sG73.exe

pid process

1436 y33sG73.exe

pid	process
1436	y33sG73.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exezap1128.exezap7229.exezap6373.exey33sG73.exeoneetx.execmd.exe

description	pid	process	target process
PID 636 wrote to memory of 464	636	94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exe	zap1128.exe
PID 636 wrote to memory of 464	636	94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exe	zap1128.exe
PID 636 wrote to memory of 464	636	94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exe	zap1128.exe
PID 464 wrote to memory of 1580	464	zap1128.exe	zap7229.exe
PID 464 wrote to memory of 1580	464	zap1128.exe	zap7229.exe
PID 464 wrote to memory of 1580	464	zap1128.exe	zap7229.exe
PID 1580 wrote to memory of 4388	1580	zap7229.exe	zap6373.exe
PID 1580 wrote to memory of 4388	1580	zap7229.exe	zap6373.exe
PID 1580 wrote to memory of 4388	1580	zap7229.exe	zap6373.exe
PID 4388 wrote to memory of 4816	4388	zap6373.exe	tz8149.exe
PID 4388 wrote to memory of 4816	4388	zap6373.exe	tz8149.exe
PID 4388 wrote to memory of 4128	4388	zap6373.exe	v0885ci.exe
PID 4388 wrote to memory of 4128	4388	zap6373.exe	v0885ci.exe
PID 4388 wrote to memory of 4128	4388	zap6373.exe	v0885ci.exe
PID 1580 wrote to memory of 4680	1580	zap7229.exe	w31TP33.exe
PID 1580 wrote to memory of 4680	1580	zap7229.exe	w31TP33.exe
PID 1580 wrote to memory of 4680	1580	zap7229.exe	w31TP33.exe
PID 464 wrote to memory of 1692	464	zap1128.exe	xhNqR16.exe
PID 464 wrote to memory of 1692	464	zap1128.exe	xhNqR16.exe
PID 464 wrote to memory of 1692	464	zap1128.exe	xhNqR16.exe
PID 636 wrote to memory of 1436	636	94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exe	y33sG73.exe
PID 636 wrote to memory of 1436	636	94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exe	y33sG73.exe
PID 636 wrote to memory of 1436	636	94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exe	y33sG73.exe
PID 1436 wrote to memory of 2188	1436	y33sG73.exe	oneetx.exe
PID 1436 wrote to memory of 2188	1436	y33sG73.exe	oneetx.exe
PID 1436 wrote to memory of 2188	1436	y33sG73.exe	oneetx.exe
PID 2188 wrote to memory of 3240	2188	oneetx.exe	schtasks.exe
PID 2188 wrote to memory of 3240	2188	oneetx.exe	schtasks.exe
PID 2188 wrote to memory of 3240	2188	oneetx.exe	schtasks.exe
PID 2188 wrote to memory of 3084	2188	oneetx.exe	cmd.exe
PID 2188 wrote to memory of 3084	2188	oneetx.exe	cmd.exe
PID 2188 wrote to memory of 3084	2188	oneetx.exe	cmd.exe
PID 3084 wrote to memory of 1184	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 1184	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 1184	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 220	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 220	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 220	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 3384	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 3384	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 3384	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 4788	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 4788	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 4788	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 792	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 792	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 792	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 4540	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 4540	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 4540	3084	cmd.exe	cacls.exe
PID 2188 wrote to memory of 4828	2188	oneetx.exe	rundll32.exe
PID 2188 wrote to memory of 4828	2188	oneetx.exe	rundll32.exe
PID 2188 wrote to memory of 4828	2188	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exe
"C:\Users\Admin\AppData\Local\Temp\94be47c583f7fec1ca08ac057d4ce6b1caa2d7a441ba26c282b9f8b319b721bb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1128.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1128.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:464

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7229.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7229.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6373.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6373.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8149.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8149.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0885ci.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0885ci.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1080
6⤵
- Program crash
PID:3728

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w31TP33.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w31TP33.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1356
5⤵
- Program crash
PID:2136

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xhNqR16.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xhNqR16.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y33sG73.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y33sG73.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:3240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1184

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:220

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4788

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:792

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:4540

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4128 -ip 4128
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4680 -ip 4680
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y33sG73.exe
Filesize
236KB

MD5
a67aa1fc702a48421195f809d4a99a09

SHA1
92908bf7d5902044e95e8020dd235f23f963547b

SHA256
bb11dd08679ba47d52ed02c2fada87a1310e6680a5ce7589ff26ff1956b672de

SHA512
60d8cabe7fa9f826b8f4c1ea98b4f73d0979d2f832074f24c68dc9d303ba34f5b46b32afee6c6575e51390ab1c158425fae4aa4af7e85ee15c881e819c22d727

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y33sG73.exe
Filesize
236KB

MD5
a67aa1fc702a48421195f809d4a99a09

SHA1
92908bf7d5902044e95e8020dd235f23f963547b

SHA256
bb11dd08679ba47d52ed02c2fada87a1310e6680a5ce7589ff26ff1956b672de

SHA512
60d8cabe7fa9f826b8f4c1ea98b4f73d0979d2f832074f24c68dc9d303ba34f5b46b32afee6c6575e51390ab1c158425fae4aa4af7e85ee15c881e819c22d727

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1128.exe
Filesize
815KB

MD5
1691282a10659ed157462a2628e02b40

SHA1
07fa784babe644c43a6ea1f5d273ca4855aca300

SHA256
6c8a70cc6e89af18eec1e016162250e1de6c9e16db8639c402e777a4279b5aad

SHA512
2125fe30b21eeeeb3b4231530e7a22943edf74184c4c8cbfc5bd529ceb9778c371b6f9ebcd6262363631812dd22806703d32639fc7b1d30bd9622053d7583ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1128.exe
Filesize
815KB

MD5
1691282a10659ed157462a2628e02b40

SHA1
07fa784babe644c43a6ea1f5d273ca4855aca300

SHA256
6c8a70cc6e89af18eec1e016162250e1de6c9e16db8639c402e777a4279b5aad

SHA512
2125fe30b21eeeeb3b4231530e7a22943edf74184c4c8cbfc5bd529ceb9778c371b6f9ebcd6262363631812dd22806703d32639fc7b1d30bd9622053d7583ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xhNqR16.exe
Filesize
175KB

MD5
9ec01710a95400d0f3f85762d6b51737

SHA1
c72da94ba512f62db3110f411c73d888a355ef8e

SHA256
081aa3d29f800cbadfade90f8e901580bee6a76ed91e67888103782bb483b1a0

SHA512
c9a0ecab5041c33721776168935e1a6a9b2e1e93456bfa2d83b7c45c6d80d14d776ea74ebf251822ca76cf8af106d77b51bf88b8db0b47c69a23e1b9b3d741da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xhNqR16.exe
Filesize
175KB

MD5
9ec01710a95400d0f3f85762d6b51737

SHA1
c72da94ba512f62db3110f411c73d888a355ef8e

SHA256
081aa3d29f800cbadfade90f8e901580bee6a76ed91e67888103782bb483b1a0

SHA512
c9a0ecab5041c33721776168935e1a6a9b2e1e93456bfa2d83b7c45c6d80d14d776ea74ebf251822ca76cf8af106d77b51bf88b8db0b47c69a23e1b9b3d741da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7229.exe
Filesize
673KB

MD5
5aa1781e978df6aa9d1797706f1bac0b

SHA1
46cdaa13e072b05e6503ab05631f5c9c231fff36

SHA256
359fbffc1e121a1f7bcddd7533b94aad9e1a6d41a8fa4d677d0a01fd03aa2afd

SHA512
c48596833900d6f74dacdedaabcceada042c6a36e11d0cf99a9bebc06a9318117d6e5587178a66586108155b1953360f33f4e7744624343799691ed782322a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7229.exe
Filesize
673KB

MD5
5aa1781e978df6aa9d1797706f1bac0b

SHA1
46cdaa13e072b05e6503ab05631f5c9c231fff36

SHA256
359fbffc1e121a1f7bcddd7533b94aad9e1a6d41a8fa4d677d0a01fd03aa2afd

SHA512
c48596833900d6f74dacdedaabcceada042c6a36e11d0cf99a9bebc06a9318117d6e5587178a66586108155b1953360f33f4e7744624343799691ed782322a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w31TP33.exe
Filesize
359KB

MD5
0cc965a5ba52bf04d956acdf0a3d161c

SHA1
e7c39c63489276efe796cb329bce02cf679f277a

SHA256
cbd2a1a6e42fd2034bdb3d0c3df723bb0a796bef5136019b22d4c2dc179e6add

SHA512
3361ce2924921d39836ac5a0ad2b8ddffba0ae6c91deb5f195a5d530e2a53a59aca67d068d7f0efb1c71b75a3cd26ed08e0553e0cfbd390824d217f7d461d684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w31TP33.exe
Filesize
359KB

MD5
0cc965a5ba52bf04d956acdf0a3d161c

SHA1
e7c39c63489276efe796cb329bce02cf679f277a

SHA256
cbd2a1a6e42fd2034bdb3d0c3df723bb0a796bef5136019b22d4c2dc179e6add

SHA512
3361ce2924921d39836ac5a0ad2b8ddffba0ae6c91deb5f195a5d530e2a53a59aca67d068d7f0efb1c71b75a3cd26ed08e0553e0cfbd390824d217f7d461d684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6373.exe
Filesize
333KB

MD5
e043d11246c2ba159228539a08d72a13

SHA1
a664d518f85fa40fc7be2b084ea8843d451d80bf

SHA256
d64ad76b2d3713c3f18c0e654df9401ae4c9280c1b1769f90e8e1d24a9e3ae19

SHA512
ed9c87ce698b02bfdaa342f1f5106c1b2923c538aa0ee69186583ba4370ac2600706cc5dadf765fc2b20b9685ab1f25504d1e3c7763c1b51b0daae0fba210670

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6373.exe
Filesize
333KB

MD5
e043d11246c2ba159228539a08d72a13

SHA1
a664d518f85fa40fc7be2b084ea8843d451d80bf

SHA256
d64ad76b2d3713c3f18c0e654df9401ae4c9280c1b1769f90e8e1d24a9e3ae19

SHA512
ed9c87ce698b02bfdaa342f1f5106c1b2923c538aa0ee69186583ba4370ac2600706cc5dadf765fc2b20b9685ab1f25504d1e3c7763c1b51b0daae0fba210670

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8149.exe
Filesize
11KB

MD5
cba041d380d1b2863c7b9398c633abae

SHA1
b40b23d738ebdfed9bde7b159f723606fbd86bed

SHA256
60a96d1780484969d87a4822a23fb26c8f45f898362d45bd00619bb79bc75fb3

SHA512
8ddd60a0abd977175379f3ccb0b600c3a0f1505dd6c1a85ac341029c36bbaf510c83e041f77ec1dfe4fee41fd79897d66ba671b7a2ca8a8690610d69da5109ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8149.exe
Filesize
11KB

MD5
cba041d380d1b2863c7b9398c633abae

SHA1
b40b23d738ebdfed9bde7b159f723606fbd86bed

SHA256
60a96d1780484969d87a4822a23fb26c8f45f898362d45bd00619bb79bc75fb3

SHA512
8ddd60a0abd977175379f3ccb0b600c3a0f1505dd6c1a85ac341029c36bbaf510c83e041f77ec1dfe4fee41fd79897d66ba671b7a2ca8a8690610d69da5109ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0885ci.exe
Filesize
301KB

MD5
ef552ea0ed76afba790d173d164d6c20

SHA1
aedcdb0c6530211aac64229aacb12c01b3427d8c

SHA256
f73f846965be2717f7cfded765563d97a710845518b7d7d34fd24aefcf3ee280

SHA512
e5bdd70d2bd346ba9454d9748709a1c694ea18b5668aa6e9261030f16ba4af59665d992d665014434dfbd5002b6bf3fb23be3d1d8747ae29566740c12b9b560b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0885ci.exe
Filesize
301KB

MD5
ef552ea0ed76afba790d173d164d6c20

SHA1
aedcdb0c6530211aac64229aacb12c01b3427d8c

SHA256
f73f846965be2717f7cfded765563d97a710845518b7d7d34fd24aefcf3ee280

SHA512
e5bdd70d2bd346ba9454d9748709a1c694ea18b5668aa6e9261030f16ba4af59665d992d665014434dfbd5002b6bf3fb23be3d1d8747ae29566740c12b9b560b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a67aa1fc702a48421195f809d4a99a09

SHA1
92908bf7d5902044e95e8020dd235f23f963547b

SHA256
bb11dd08679ba47d52ed02c2fada87a1310e6680a5ce7589ff26ff1956b672de

SHA512
60d8cabe7fa9f826b8f4c1ea98b4f73d0979d2f832074f24c68dc9d303ba34f5b46b32afee6c6575e51390ab1c158425fae4aa4af7e85ee15c881e819c22d727

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a67aa1fc702a48421195f809d4a99a09

SHA1
92908bf7d5902044e95e8020dd235f23f963547b

SHA256
bb11dd08679ba47d52ed02c2fada87a1310e6680a5ce7589ff26ff1956b672de

SHA512
60d8cabe7fa9f826b8f4c1ea98b4f73d0979d2f832074f24c68dc9d303ba34f5b46b32afee6c6575e51390ab1c158425fae4aa4af7e85ee15c881e819c22d727

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a67aa1fc702a48421195f809d4a99a09

SHA1
92908bf7d5902044e95e8020dd235f23f963547b

SHA256
bb11dd08679ba47d52ed02c2fada87a1310e6680a5ce7589ff26ff1956b672de

SHA512
60d8cabe7fa9f826b8f4c1ea98b4f73d0979d2f832074f24c68dc9d303ba34f5b46b32afee6c6575e51390ab1c158425fae4aa4af7e85ee15c881e819c22d727

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a67aa1fc702a48421195f809d4a99a09

SHA1
92908bf7d5902044e95e8020dd235f23f963547b

SHA256
bb11dd08679ba47d52ed02c2fada87a1310e6680a5ce7589ff26ff1956b672de

SHA512
60d8cabe7fa9f826b8f4c1ea98b4f73d0979d2f832074f24c68dc9d303ba34f5b46b32afee6c6575e51390ab1c158425fae4aa4af7e85ee15c881e819c22d727

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1692-1142-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/1692-1141-0x0000000000E20000-0x0000000000E52000-memory.dmp

Filesize
200KB

Download
memory/4128-181-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-191-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-189-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-187-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-193-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-195-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-197-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-199-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-200-0x0000000000400000-0x0000000001AE3000-memory.dmp

Filesize
22.9MB

Download
memory/4128-201-0x0000000006300000-0x0000000006310000-memory.dmp

Filesize
64KB

Download
memory/4128-202-0x0000000006300000-0x0000000006310000-memory.dmp

Filesize
64KB

Download
memory/4128-203-0x0000000006300000-0x0000000006310000-memory.dmp

Filesize
64KB

Download
memory/4128-205-0x0000000000400000-0x0000000001AE3000-memory.dmp

Filesize
22.9MB

Download
memory/4128-185-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-183-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-179-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-177-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-175-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-173-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-172-0x0000000001E60000-0x0000000001E72000-memory.dmp

Filesize
72KB

Download
memory/4128-171-0x0000000006300000-0x0000000006310000-memory.dmp

Filesize
64KB

Download
memory/4128-170-0x0000000006300000-0x0000000006310000-memory.dmp

Filesize
64KB

Download
memory/4128-169-0x0000000006300000-0x0000000006310000-memory.dmp

Filesize
64KB

Download
memory/4128-168-0x0000000006310000-0x00000000068B4000-memory.dmp

Filesize
5.6MB

Download
memory/4128-167-0x0000000001C40000-0x0000000001C6D000-memory.dmp

Filesize
180KB

Download
memory/4680-219-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-233-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-231-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-235-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-237-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-239-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-241-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-243-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-245-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-247-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-1120-0x00000000068D0000-0x0000000006EE8000-memory.dmp

Filesize
6.1MB

Download
memory/4680-1121-0x0000000006EF0000-0x0000000006FFA000-memory.dmp

Filesize
1.0MB

Download
memory/4680-1122-0x0000000007020000-0x0000000007032000-memory.dmp

Filesize
72KB

Download
memory/4680-1123-0x0000000007040000-0x000000000707C000-memory.dmp

Filesize
240KB

Download
memory/4680-1124-0x0000000006310000-0x0000000006320000-memory.dmp

Filesize
64KB

Download
memory/4680-1126-0x0000000007330000-0x00000000073C2000-memory.dmp

Filesize
584KB

Download
memory/4680-1127-0x00000000073D0000-0x0000000007436000-memory.dmp

Filesize
408KB

Download
memory/4680-1128-0x0000000006310000-0x0000000006320000-memory.dmp

Filesize
64KB

Download
memory/4680-1129-0x0000000006310000-0x0000000006320000-memory.dmp

Filesize
64KB

Download
memory/4680-1130-0x0000000006310000-0x0000000006320000-memory.dmp

Filesize
64KB

Download
memory/4680-1131-0x0000000007AF0000-0x0000000007CB2000-memory.dmp

Filesize
1.8MB

Download
memory/4680-1132-0x0000000007CD0000-0x00000000081FC000-memory.dmp

Filesize
5.2MB

Download
memory/4680-1133-0x0000000006310000-0x0000000006320000-memory.dmp

Filesize
64KB

Download
memory/4680-229-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-228-0x0000000006310000-0x0000000006320000-memory.dmp

Filesize
64KB

Download
memory/4680-226-0x0000000006310000-0x0000000006320000-memory.dmp

Filesize
64KB

Download
memory/4680-223-0x0000000006310000-0x0000000006320000-memory.dmp

Filesize
64KB

Download
memory/4680-225-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-222-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-221-0x0000000001DA0000-0x0000000001DEB000-memory.dmp

Filesize
300KB

Download
memory/4680-217-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-215-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-213-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-211-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-210-0x0000000003A90000-0x0000000003ACF000-memory.dmp

Filesize
252KB

Download
memory/4680-1134-0x0000000008450000-0x00000000084C6000-memory.dmp

Filesize
472KB

Download
memory/4680-1135-0x00000000084D0000-0x0000000008520000-memory.dmp

Filesize
320KB

Download
memory/4816-161-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download