amadey | 4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exe
Size

1000KB
MD5

c8f6e6162fc999b8dd294eb8dbcc1f5f
SHA1

6dcf7f3af7ce0e7593da48d562c23a30c6ddcee7
SHA256

4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c
SHA512

d600d370822c63cdcac21d07990ae46eb1237a8778697b6684a7886d304634e7835208d847a02325383b879f7e815d830686466f314eaa13b690811e60941f91
SSDEEP

24576:/yxK/7VzbCnhMZzM1BrNpIG5oDloDmSXq0elZ9BNy:KU1bKhMZw1BrN2aISfq0S9n

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v3644ag.exetz8664.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3644ag.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8664.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v3644ag.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3644ag.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3644ag.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3644ag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3644ag.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4332-210-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-209-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-212-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-214-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-216-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-218-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-220-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-222-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-224-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-231-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-226-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-233-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-235-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-237-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-239-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-241-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-243-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline
behavioral1/memory/4332-245-0x0000000005080000-0x00000000050BF000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y24OR88.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	y24OR88.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap7190.exezap9352.exezap5943.exetz8664.exev3644ag.exew87iD02.exexGvgc86.exey24OR88.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
1072	zap7190.exe
1456	zap9352.exe
4048	zap5943.exe
1916	tz8664.exe
2600	v3644ag.exe
4332	w87iD02.exe
5112	xGvgc86.exe
4712	y24OR88.exe
4952	oneetx.exe
1952	oneetx.exe
4644	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

740 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
740	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz8664.exev3644ag.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8664.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3644ag.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3644ag.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap9352.exezap5943.exe4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exezap7190.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap9352.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5943.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap5943.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7190.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9352.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5084 2600 WerFault.exe v3644ag.exe
5104 4332 WerFault.exe w87iD02.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1740 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz8664.exev3644ag.exew87iD02.exexGvgc86.exe

pid process

1916 tz8664.exe
1916 tz8664.exe
2600 v3644ag.exe
2600 v3644ag.exe
4332 w87iD02.exe
4332 w87iD02.exe
5112 xGvgc86.exe
5112 xGvgc86.exe

pid	pid_target	process	target process
5084	2600	WerFault.exe	v3644ag.exe
5104	4332	WerFault.exe	w87iD02.exe

pid	process
1740	schtasks.exe

pid	process
1916	tz8664.exe
1916	tz8664.exe
2600	v3644ag.exe
2600	v3644ag.exe
4332	w87iD02.exe
4332	w87iD02.exe
5112	xGvgc86.exe
5112	xGvgc86.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz8664.exev3644ag.exew87iD02.exexGvgc86.exe

description	pid	process
Token: SeDebugPrivilege	1916	tz8664.exe
Token: SeDebugPrivilege	2600	v3644ag.exe
Token: SeDebugPrivilege	4332	w87iD02.exe
Token: SeDebugPrivilege	5112	xGvgc86.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y24OR88.exe

pid process

4712 y24OR88.exe

pid	process
4712	y24OR88.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exezap7190.exezap9352.exezap5943.exey24OR88.exeoneetx.execmd.exe

description	pid	process	target process
PID 628 wrote to memory of 1072	628	4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exe	zap7190.exe
PID 628 wrote to memory of 1072	628	4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exe	zap7190.exe
PID 628 wrote to memory of 1072	628	4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exe	zap7190.exe
PID 1072 wrote to memory of 1456	1072	zap7190.exe	zap9352.exe
PID 1072 wrote to memory of 1456	1072	zap7190.exe	zap9352.exe
PID 1072 wrote to memory of 1456	1072	zap7190.exe	zap9352.exe
PID 1456 wrote to memory of 4048	1456	zap9352.exe	zap5943.exe
PID 1456 wrote to memory of 4048	1456	zap9352.exe	zap5943.exe
PID 1456 wrote to memory of 4048	1456	zap9352.exe	zap5943.exe
PID 4048 wrote to memory of 1916	4048	zap5943.exe	tz8664.exe
PID 4048 wrote to memory of 1916	4048	zap5943.exe	tz8664.exe
PID 4048 wrote to memory of 2600	4048	zap5943.exe	v3644ag.exe
PID 4048 wrote to memory of 2600	4048	zap5943.exe	v3644ag.exe
PID 4048 wrote to memory of 2600	4048	zap5943.exe	v3644ag.exe
PID 1456 wrote to memory of 4332	1456	zap9352.exe	w87iD02.exe
PID 1456 wrote to memory of 4332	1456	zap9352.exe	w87iD02.exe
PID 1456 wrote to memory of 4332	1456	zap9352.exe	w87iD02.exe
PID 1072 wrote to memory of 5112	1072	zap7190.exe	xGvgc86.exe
PID 1072 wrote to memory of 5112	1072	zap7190.exe	xGvgc86.exe
PID 1072 wrote to memory of 5112	1072	zap7190.exe	xGvgc86.exe
PID 628 wrote to memory of 4712	628	4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exe	y24OR88.exe
PID 628 wrote to memory of 4712	628	4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exe	y24OR88.exe
PID 628 wrote to memory of 4712	628	4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exe	y24OR88.exe
PID 4712 wrote to memory of 4952	4712	y24OR88.exe	oneetx.exe
PID 4712 wrote to memory of 4952	4712	y24OR88.exe	oneetx.exe
PID 4712 wrote to memory of 4952	4712	y24OR88.exe	oneetx.exe
PID 4952 wrote to memory of 1740	4952	oneetx.exe	schtasks.exe
PID 4952 wrote to memory of 1740	4952	oneetx.exe	schtasks.exe
PID 4952 wrote to memory of 1740	4952	oneetx.exe	schtasks.exe
PID 4952 wrote to memory of 1912	4952	oneetx.exe	cmd.exe
PID 4952 wrote to memory of 1912	4952	oneetx.exe	cmd.exe
PID 4952 wrote to memory of 1912	4952	oneetx.exe	cmd.exe
PID 1912 wrote to memory of 4808	1912	cmd.exe	cmd.exe
PID 1912 wrote to memory of 4808	1912	cmd.exe	cmd.exe
PID 1912 wrote to memory of 4808	1912	cmd.exe	cmd.exe
PID 1912 wrote to memory of 224	1912	cmd.exe	cacls.exe
PID 1912 wrote to memory of 224	1912	cmd.exe	cacls.exe
PID 1912 wrote to memory of 224	1912	cmd.exe	cacls.exe
PID 1912 wrote to memory of 4476	1912	cmd.exe	cacls.exe
PID 1912 wrote to memory of 4476	1912	cmd.exe	cacls.exe
PID 1912 wrote to memory of 4476	1912	cmd.exe	cacls.exe
PID 1912 wrote to memory of 212	1912	cmd.exe	cmd.exe
PID 1912 wrote to memory of 212	1912	cmd.exe	cmd.exe
PID 1912 wrote to memory of 212	1912	cmd.exe	cmd.exe
PID 1912 wrote to memory of 3388	1912	cmd.exe	cacls.exe
PID 1912 wrote to memory of 3388	1912	cmd.exe	cacls.exe
PID 1912 wrote to memory of 3388	1912	cmd.exe	cacls.exe
PID 1912 wrote to memory of 5048	1912	cmd.exe	cacls.exe
PID 1912 wrote to memory of 5048	1912	cmd.exe	cacls.exe
PID 1912 wrote to memory of 5048	1912	cmd.exe	cacls.exe
PID 4952 wrote to memory of 740	4952	oneetx.exe	rundll32.exe
PID 4952 wrote to memory of 740	4952	oneetx.exe	rundll32.exe
PID 4952 wrote to memory of 740	4952	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exe
"C:\Users\Admin\AppData\Local\Temp\4a407334ea734f4e10e5fdee44e525432e159d6f9b0318ca2728d64814d3e95c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7190.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7190.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9352.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9352.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5943.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5943.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8664.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8664.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3644ag.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3644ag.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1084
6⤵
- Program crash
PID:5084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w87iD02.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w87iD02.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1580
5⤵
- Program crash
PID:5104

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xGvgc86.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xGvgc86.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y24OR88.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y24OR88.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4712

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:1740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4808

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:224

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:212

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:3388

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:5048

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2600 -ip 2600
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4332 -ip 4332
1⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:4644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y24OR88.exe
Filesize
236KB

MD5
85d7bb8b0c940ed7caa2ea185daa51fd

SHA1
f8aa7cfbf656ca981cf769d293221afee3e9c4e2

SHA256
81689cd47134aedfd5baf922fbe241ac1f658a3a239a3dd389ee6784e401f79a

SHA512
b1078f0c1d8eb9c593b174b63e6d6eb9c6544a3d50a06562dbf9818b25cac3145b62f0b672c8bfd2c0f3568708f0f01c1bc101c4f488831dafb492b1edfce349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y24OR88.exe
Filesize
236KB

MD5
85d7bb8b0c940ed7caa2ea185daa51fd

SHA1
f8aa7cfbf656ca981cf769d293221afee3e9c4e2

SHA256
81689cd47134aedfd5baf922fbe241ac1f658a3a239a3dd389ee6784e401f79a

SHA512
b1078f0c1d8eb9c593b174b63e6d6eb9c6544a3d50a06562dbf9818b25cac3145b62f0b672c8bfd2c0f3568708f0f01c1bc101c4f488831dafb492b1edfce349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7190.exe
Filesize
815KB

MD5
e7a5bf50a10d82914af4da875ebb66fc

SHA1
794dcd412b48e65953f2ee547a3d76a6501cfeae

SHA256
c303d65fe82b8447a0d9659e420581b34b7380f1068118b35f1bc19ca1720379

SHA512
0242682293227440147b9033134ee91309b41c2590f8cf6d4290e8b8e0bd05b6705ad20bf7535a5ce21aeefcbde207902f813db5c9f1474437bde09c6deffffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7190.exe
Filesize
815KB

MD5
e7a5bf50a10d82914af4da875ebb66fc

SHA1
794dcd412b48e65953f2ee547a3d76a6501cfeae

SHA256
c303d65fe82b8447a0d9659e420581b34b7380f1068118b35f1bc19ca1720379

SHA512
0242682293227440147b9033134ee91309b41c2590f8cf6d4290e8b8e0bd05b6705ad20bf7535a5ce21aeefcbde207902f813db5c9f1474437bde09c6deffffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xGvgc86.exe
Filesize
175KB

MD5
ae6c2db634fcb2878a99b192a9c6066a

SHA1
c6e74d1faf99788e1105bd6406d45b1fcaf2a12c

SHA256
4bacc8f8f4e79cd84fc9a4e0dfe572b6b3024f48f4072c5b231b2afe8cc57c07

SHA512
1d2c5e6ac9c17247cb6f91df2dc96ee016392b905586ec6dd0039326eb901ef7de4de65dd51a27d7b184e0587b9098ec34c533679e604bdb3640d5bd7cde473e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xGvgc86.exe
Filesize
175KB

MD5
ae6c2db634fcb2878a99b192a9c6066a

SHA1
c6e74d1faf99788e1105bd6406d45b1fcaf2a12c

SHA256
4bacc8f8f4e79cd84fc9a4e0dfe572b6b3024f48f4072c5b231b2afe8cc57c07

SHA512
1d2c5e6ac9c17247cb6f91df2dc96ee016392b905586ec6dd0039326eb901ef7de4de65dd51a27d7b184e0587b9098ec34c533679e604bdb3640d5bd7cde473e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9352.exe
Filesize
674KB

MD5
ba1b575bbd6a5ba411a31c69fa2b609c

SHA1
227a114fe63632512b15042e3278a21cd0bf610c

SHA256
42a1d773d6a88a222a1593efc61f220e16e9b6db22277dae8b916ec260b7b49c

SHA512
4854f4b578ece41f349f60472ee1e041e989b0eb5fec39648484483c3c9693af9bc3535ac8cc3d46297b78fef2918ab754d91e04fa753f8767538eaf2b35b393

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9352.exe
Filesize
674KB

MD5
ba1b575bbd6a5ba411a31c69fa2b609c

SHA1
227a114fe63632512b15042e3278a21cd0bf610c

SHA256
42a1d773d6a88a222a1593efc61f220e16e9b6db22277dae8b916ec260b7b49c

SHA512
4854f4b578ece41f349f60472ee1e041e989b0eb5fec39648484483c3c9693af9bc3535ac8cc3d46297b78fef2918ab754d91e04fa753f8767538eaf2b35b393

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w87iD02.exe
Filesize
318KB

MD5
ab0dfb36e456852df6fb75583650748f

SHA1
04a3af915d4d0b9a82becd2fa2746f4bc0f20be2

SHA256
37ba9162463f6a60261c1bb72170eb587fac9518e1a92bec4a5b533835f893bb

SHA512
99c6dc0e2df0c2d35aff5bb581e347cdb3d6a30b3be2a8edca2c105481fdccf46444aa8503154283e35ba9648ca31d0266619c450e17451a7b6ff61df0fda7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w87iD02.exe
Filesize
318KB

MD5
ab0dfb36e456852df6fb75583650748f

SHA1
04a3af915d4d0b9a82becd2fa2746f4bc0f20be2

SHA256
37ba9162463f6a60261c1bb72170eb587fac9518e1a92bec4a5b533835f893bb

SHA512
99c6dc0e2df0c2d35aff5bb581e347cdb3d6a30b3be2a8edca2c105481fdccf46444aa8503154283e35ba9648ca31d0266619c450e17451a7b6ff61df0fda7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5943.exe
Filesize
333KB

MD5
023ce981e1e91ebd80fb03c6c0debe75

SHA1
eda6aa9e353ef1f985c10ac313f5a546e07e89eb

SHA256
bb06c19d8551de5833db5b2dac78e8d480e1063073272fe5f9681ec4bffa0879

SHA512
f97506a9f125fb9f5e617c9a4b1a34b4134111e1c43e8ec01c8b0b124efbeb5877abba3dc86a726672a780ef7c4df4d9e9e25d50f740ac7fcb87d1847e9c922b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5943.exe
Filesize
333KB

MD5
023ce981e1e91ebd80fb03c6c0debe75

SHA1
eda6aa9e353ef1f985c10ac313f5a546e07e89eb

SHA256
bb06c19d8551de5833db5b2dac78e8d480e1063073272fe5f9681ec4bffa0879

SHA512
f97506a9f125fb9f5e617c9a4b1a34b4134111e1c43e8ec01c8b0b124efbeb5877abba3dc86a726672a780ef7c4df4d9e9e25d50f740ac7fcb87d1847e9c922b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8664.exe
Filesize
11KB

MD5
2cd7a553a6257fbbacbe6001c62c7208

SHA1
ad82963f785062ffedf1177804c90d1bb81ee9f5

SHA256
71e318348a3dbea4ed5e27d24f5810eb24938c320621cad9045196400af3d161

SHA512
2589974ac81019f4a6388acc7cc43083f39e8366e87ee59393d0b42d0b85468ed51e5c64b4292b3af898ffc2769328a7949f95437bc315e0da318f795c79228d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8664.exe
Filesize
11KB

MD5
2cd7a553a6257fbbacbe6001c62c7208

SHA1
ad82963f785062ffedf1177804c90d1bb81ee9f5

SHA256
71e318348a3dbea4ed5e27d24f5810eb24938c320621cad9045196400af3d161

SHA512
2589974ac81019f4a6388acc7cc43083f39e8366e87ee59393d0b42d0b85468ed51e5c64b4292b3af898ffc2769328a7949f95437bc315e0da318f795c79228d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3644ag.exe
Filesize
259KB

MD5
1b183e94c356cbbb7a0fe38cdf340f58

SHA1
213008408db24b65d620d0826a404247e0302f5f

SHA256
59ab0867917615ed299cdf31b6175c4a99bc82aad2c1329380af096df0382b10

SHA512
99723b958d8b33b9ac90e7b6dfe8618a7eb3b03d3b0715aecb995c90dcdcbeeb68b7ed89d97a058cafb66a9aa6737bd783cd1d473aa7d4b79928b505ef363214

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3644ag.exe
Filesize
259KB

MD5
1b183e94c356cbbb7a0fe38cdf340f58

SHA1
213008408db24b65d620d0826a404247e0302f5f

SHA256
59ab0867917615ed299cdf31b6175c4a99bc82aad2c1329380af096df0382b10

SHA512
99723b958d8b33b9ac90e7b6dfe8618a7eb3b03d3b0715aecb995c90dcdcbeeb68b7ed89d97a058cafb66a9aa6737bd783cd1d473aa7d4b79928b505ef363214

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
85d7bb8b0c940ed7caa2ea185daa51fd

SHA1
f8aa7cfbf656ca981cf769d293221afee3e9c4e2

SHA256
81689cd47134aedfd5baf922fbe241ac1f658a3a239a3dd389ee6784e401f79a

SHA512
b1078f0c1d8eb9c593b174b63e6d6eb9c6544a3d50a06562dbf9818b25cac3145b62f0b672c8bfd2c0f3568708f0f01c1bc101c4f488831dafb492b1edfce349

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
85d7bb8b0c940ed7caa2ea185daa51fd

SHA1
f8aa7cfbf656ca981cf769d293221afee3e9c4e2

SHA256
81689cd47134aedfd5baf922fbe241ac1f658a3a239a3dd389ee6784e401f79a

SHA512
b1078f0c1d8eb9c593b174b63e6d6eb9c6544a3d50a06562dbf9818b25cac3145b62f0b672c8bfd2c0f3568708f0f01c1bc101c4f488831dafb492b1edfce349

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
85d7bb8b0c940ed7caa2ea185daa51fd

SHA1
f8aa7cfbf656ca981cf769d293221afee3e9c4e2

SHA256
81689cd47134aedfd5baf922fbe241ac1f658a3a239a3dd389ee6784e401f79a

SHA512
b1078f0c1d8eb9c593b174b63e6d6eb9c6544a3d50a06562dbf9818b25cac3145b62f0b672c8bfd2c0f3568708f0f01c1bc101c4f488831dafb492b1edfce349

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
85d7bb8b0c940ed7caa2ea185daa51fd

SHA1
f8aa7cfbf656ca981cf769d293221afee3e9c4e2

SHA256
81689cd47134aedfd5baf922fbe241ac1f658a3a239a3dd389ee6784e401f79a

SHA512
b1078f0c1d8eb9c593b174b63e6d6eb9c6544a3d50a06562dbf9818b25cac3145b62f0b672c8bfd2c0f3568708f0f01c1bc101c4f488831dafb492b1edfce349

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
85d7bb8b0c940ed7caa2ea185daa51fd

SHA1
f8aa7cfbf656ca981cf769d293221afee3e9c4e2

SHA256
81689cd47134aedfd5baf922fbe241ac1f658a3a239a3dd389ee6784e401f79a

SHA512
b1078f0c1d8eb9c593b174b63e6d6eb9c6544a3d50a06562dbf9818b25cac3145b62f0b672c8bfd2c0f3568708f0f01c1bc101c4f488831dafb492b1edfce349

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1916-161-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/2600-179-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-187-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-191-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-189-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-193-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-195-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-197-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-199-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-185-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2600-201-0x0000000002290000-0x00000000022A0000-memory.dmp

Filesize
64KB

Download
memory/2600-202-0x0000000002290000-0x00000000022A0000-memory.dmp

Filesize
64KB

Download
memory/2600-204-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2600-183-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-181-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-177-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-175-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-173-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-172-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2600-171-0x0000000002290000-0x00000000022A0000-memory.dmp

Filesize
64KB

Download
memory/2600-170-0x0000000002290000-0x00000000022A0000-memory.dmp

Filesize
64KB

Download
memory/2600-167-0x0000000000640000-0x000000000066D000-memory.dmp

Filesize
180KB

Download
memory/2600-169-0x0000000002290000-0x00000000022A0000-memory.dmp

Filesize
64KB

Download
memory/2600-168-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/4332-218-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-1129-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4332-226-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-233-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-235-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-237-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-239-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-241-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-243-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-245-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-1118-0x00000000050C0000-0x00000000056D8000-memory.dmp

Filesize
6.1MB

Download
memory/4332-1119-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/4332-1120-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/4332-1121-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4332-1122-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/4332-1124-0x0000000005BB0000-0x0000000005C42000-memory.dmp

Filesize
584KB

Download
memory/4332-1125-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/4332-1126-0x0000000006450000-0x00000000064C6000-memory.dmp

Filesize
472KB

Download
memory/4332-1127-0x00000000064E0000-0x0000000006530000-memory.dmp

Filesize
320KB

Download
memory/4332-231-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-1130-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4332-1128-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4332-1131-0x0000000006560000-0x0000000006722000-memory.dmp

Filesize
1.8MB

Download
memory/4332-1132-0x0000000006730000-0x0000000006C5C000-memory.dmp

Filesize
5.2MB

Download
memory/4332-1133-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4332-210-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-209-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-230-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4332-227-0x0000000000610000-0x000000000065B000-memory.dmp

Filesize
300KB

Download
memory/4332-229-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4332-224-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-222-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-220-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-216-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-214-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/4332-212-0x0000000005080000-0x00000000050BF000-memory.dmp

Filesize
252KB

Download
memory/5112-1140-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/5112-1139-0x00000000005B0000-0x00000000005E2000-memory.dmp

Filesize
200KB

Download