amadey | 9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758

Analysis

max time kernel
158s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exe
Size

1000KB
MD5

f67469bdc4991e2fcb86bce7f9a8e7e1
SHA1

d0507d336a444e79d457d069036818997c67488b
SHA256

9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758
SHA512

58f9ec62bf9a7b06e62f8a3bec1fc6c5efc9c9adfe5ad3d78105476cd7cfdd8301341e68f497f03ce69cfe97595449b2ea5a18f2fc18ee10e66642eebc5837e3
SSDEEP

24576:tyUwKTLJVEzIbue7P0O+EEpmdRoGvgczeX9gcTFmkCA:IRKTmIb57PP7dTxMTTFu

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v7998vl.exetz6220.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v7998vl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v7998vl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v7998vl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v7998vl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz6220.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz6220.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz6220.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz6220.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz6220.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz6220.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v7998vl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v7998vl.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3424-211-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-212-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-214-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-216-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-218-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-220-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-222-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-224-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-226-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-229-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-232-0x0000000002480000-0x0000000002490000-memory.dmp	family_redline
behavioral1/memory/3424-233-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-235-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-237-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-239-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-241-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-243-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline
behavioral1/memory/3424-245-0x0000000002550000-0x000000000258F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oneetx.exey53Vo90.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	y53Vo90.exe

Executes dropped EXE 11 IoCs

Processes:

zap6391.exezap0105.exezap2383.exetz6220.exev7998vl.exew06mJ70.exexlcUJ55.exey53Vo90.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
3304	zap6391.exe
1244	zap0105.exe
4464	zap2383.exe
1404	tz6220.exe
1260	v7998vl.exe
3424	w06mJ70.exe
2856	xlcUJ55.exe
2316	y53Vo90.exe
2244	oneetx.exe
4512	oneetx.exe
2368	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2492 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2492	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz6220.exev7998vl.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz6220.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v7998vl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v7998vl.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap2383.exe9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exezap6391.exezap0105.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2383.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap2383.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6391.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6391.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap0105.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4544 1260 WerFault.exe v7998vl.exe
3284 3424 WerFault.exe w06mJ70.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2876 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz6220.exev7998vl.exew06mJ70.exexlcUJ55.exe

pid process

1404 tz6220.exe
1404 tz6220.exe
1260 v7998vl.exe
1260 v7998vl.exe
3424 w06mJ70.exe
3424 w06mJ70.exe
2856 xlcUJ55.exe
2856 xlcUJ55.exe

pid	pid_target	process	target process
4544	1260	WerFault.exe	v7998vl.exe
3284	3424	WerFault.exe	w06mJ70.exe

pid	process
2876	schtasks.exe

pid	process
1404	tz6220.exe
1404	tz6220.exe
1260	v7998vl.exe
1260	v7998vl.exe
3424	w06mJ70.exe
3424	w06mJ70.exe
2856	xlcUJ55.exe
2856	xlcUJ55.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz6220.exev7998vl.exew06mJ70.exexlcUJ55.exe

description	pid	process
Token: SeDebugPrivilege	1404	tz6220.exe
Token: SeDebugPrivilege	1260	v7998vl.exe
Token: SeDebugPrivilege	3424	w06mJ70.exe
Token: SeDebugPrivilege	2856	xlcUJ55.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y53Vo90.exe

pid process

2316 y53Vo90.exe

pid	process
2316	y53Vo90.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exezap6391.exezap0105.exezap2383.exey53Vo90.exeoneetx.execmd.exe

description	pid	process	target process
PID 864 wrote to memory of 3304	864	9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exe	zap6391.exe
PID 864 wrote to memory of 3304	864	9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exe	zap6391.exe
PID 864 wrote to memory of 3304	864	9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exe	zap6391.exe
PID 3304 wrote to memory of 1244	3304	zap6391.exe	zap0105.exe
PID 3304 wrote to memory of 1244	3304	zap6391.exe	zap0105.exe
PID 3304 wrote to memory of 1244	3304	zap6391.exe	zap0105.exe
PID 1244 wrote to memory of 4464	1244	zap0105.exe	zap2383.exe
PID 1244 wrote to memory of 4464	1244	zap0105.exe	zap2383.exe
PID 1244 wrote to memory of 4464	1244	zap0105.exe	zap2383.exe
PID 4464 wrote to memory of 1404	4464	zap2383.exe	tz6220.exe
PID 4464 wrote to memory of 1404	4464	zap2383.exe	tz6220.exe
PID 4464 wrote to memory of 1260	4464	zap2383.exe	v7998vl.exe
PID 4464 wrote to memory of 1260	4464	zap2383.exe	v7998vl.exe
PID 4464 wrote to memory of 1260	4464	zap2383.exe	v7998vl.exe
PID 1244 wrote to memory of 3424	1244	zap0105.exe	w06mJ70.exe
PID 1244 wrote to memory of 3424	1244	zap0105.exe	w06mJ70.exe
PID 1244 wrote to memory of 3424	1244	zap0105.exe	w06mJ70.exe
PID 3304 wrote to memory of 2856	3304	zap6391.exe	xlcUJ55.exe
PID 3304 wrote to memory of 2856	3304	zap6391.exe	xlcUJ55.exe
PID 3304 wrote to memory of 2856	3304	zap6391.exe	xlcUJ55.exe
PID 864 wrote to memory of 2316	864	9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exe	y53Vo90.exe
PID 864 wrote to memory of 2316	864	9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exe	y53Vo90.exe
PID 864 wrote to memory of 2316	864	9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exe	y53Vo90.exe
PID 2316 wrote to memory of 2244	2316	y53Vo90.exe	oneetx.exe
PID 2316 wrote to memory of 2244	2316	y53Vo90.exe	oneetx.exe
PID 2316 wrote to memory of 2244	2316	y53Vo90.exe	oneetx.exe
PID 2244 wrote to memory of 2876	2244	oneetx.exe	schtasks.exe
PID 2244 wrote to memory of 2876	2244	oneetx.exe	schtasks.exe
PID 2244 wrote to memory of 2876	2244	oneetx.exe	schtasks.exe
PID 2244 wrote to memory of 2396	2244	oneetx.exe	cmd.exe
PID 2244 wrote to memory of 2396	2244	oneetx.exe	cmd.exe
PID 2244 wrote to memory of 2396	2244	oneetx.exe	cmd.exe
PID 2396 wrote to memory of 1208	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 1208	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 1208	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2460	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 2460	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 2460	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 3332	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 3332	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 3332	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 4532	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 4532	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 4532	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 4380	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 4380	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 4380	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 2000	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 2000	2396	cmd.exe	cacls.exe
PID 2396 wrote to memory of 2000	2396	cmd.exe	cacls.exe
PID 2244 wrote to memory of 2492	2244	oneetx.exe	rundll32.exe
PID 2244 wrote to memory of 2492	2244	oneetx.exe	rundll32.exe
PID 2244 wrote to memory of 2492	2244	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exe
"C:\Users\Admin\AppData\Local\Temp\9bd9510ae549a9f03c9cbd8d68f6e09e5617cbf798981888089dd508c3344758.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6391.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6391.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0105.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0105.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2383.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2383.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6220.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6220.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7998vl.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7998vl.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1084
6⤵
- Program crash
PID:4544

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w06mJ70.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w06mJ70.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1336
5⤵
- Program crash
PID:3284

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xlcUJ55.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xlcUJ55.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Vo90.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Vo90.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1208

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:2460

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4532

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:4380

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:2000

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1260 -ip 1260
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3424 -ip 3424
1⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:4512

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:2368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Vo90.exe
Filesize
236KB

MD5
29c97918109fbcd62b0891c7a882116d

SHA1
55a22ff0220e7bbaa8c23f61a2abce059a0243fc

SHA256
94a624eedee8fa98ef1fb732924c8b1a0190617403aa9a65c7894a8260f51418

SHA512
95564dac9f407b7e42fe4c9c1af38f07cbcd3543d393c2c29935c8db531a6300f38976b0f19746b13b6f05edd5ac63b41a0cc7182148dbbfbdf5306f1d46eb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Vo90.exe
Filesize
236KB

MD5
29c97918109fbcd62b0891c7a882116d

SHA1
55a22ff0220e7bbaa8c23f61a2abce059a0243fc

SHA256
94a624eedee8fa98ef1fb732924c8b1a0190617403aa9a65c7894a8260f51418

SHA512
95564dac9f407b7e42fe4c9c1af38f07cbcd3543d393c2c29935c8db531a6300f38976b0f19746b13b6f05edd5ac63b41a0cc7182148dbbfbdf5306f1d46eb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6391.exe
Filesize
816KB

MD5
59e0ccf5ed3e0eb1eca1fe66d1e9a547

SHA1
78d2f610abf6d08fafc46a8d8ad7077f357bd01d

SHA256
ea041a572cbb50278539294b6d96c9bafd703fc7fff3a60718c7473df47e0be1

SHA512
b434a1a6de5c41df57b61674c7dc6ff87e833171ad5d60556833fc2ae843812a46bfd85225e4d38dce7d1621910ead62aff46b9409c266d2d3666a1b2e3fbdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6391.exe
Filesize
816KB

MD5
59e0ccf5ed3e0eb1eca1fe66d1e9a547

SHA1
78d2f610abf6d08fafc46a8d8ad7077f357bd01d

SHA256
ea041a572cbb50278539294b6d96c9bafd703fc7fff3a60718c7473df47e0be1

SHA512
b434a1a6de5c41df57b61674c7dc6ff87e833171ad5d60556833fc2ae843812a46bfd85225e4d38dce7d1621910ead62aff46b9409c266d2d3666a1b2e3fbdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xlcUJ55.exe
Filesize
175KB

MD5
4f19d810a88f793c1d8b2a2fa5c7f80a

SHA1
0e93631b9728933ba5e40f6fc40d93125d48bd9a

SHA256
77c2e4866a8a9afbf1a3d51d9735f08ace7c811f0229eeba9f57f6b3ea611e3c

SHA512
52e7ea0c9f07b31e985c87a54c63e30b0b4f632d82e5852a769b0e725c793bd2ead35990fd5bacd551a61dc6b5b2d3e6c406148cebfa4d5f3190e5fdfcb94fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xlcUJ55.exe
Filesize
175KB

MD5
4f19d810a88f793c1d8b2a2fa5c7f80a

SHA1
0e93631b9728933ba5e40f6fc40d93125d48bd9a

SHA256
77c2e4866a8a9afbf1a3d51d9735f08ace7c811f0229eeba9f57f6b3ea611e3c

SHA512
52e7ea0c9f07b31e985c87a54c63e30b0b4f632d82e5852a769b0e725c793bd2ead35990fd5bacd551a61dc6b5b2d3e6c406148cebfa4d5f3190e5fdfcb94fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0105.exe
Filesize
674KB

MD5
a053ce4b2d31daf2cef7c1c86e46dbeb

SHA1
ef827a82c10a17be906e868a370ac6f0ce3f907a

SHA256
f473a1850df4c1e4925a88d0b8512f3b5f51a92a96cec49804c6832eff4cba90

SHA512
a51082cc7b941dd1936c48af6f797afc7861099d098eff23b99ce9b7112788a5d001eed01bfb8c486eb902d116ff973d058a1d52226025bb604a458b2c6bbd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0105.exe
Filesize
674KB

MD5
a053ce4b2d31daf2cef7c1c86e46dbeb

SHA1
ef827a82c10a17be906e868a370ac6f0ce3f907a

SHA256
f473a1850df4c1e4925a88d0b8512f3b5f51a92a96cec49804c6832eff4cba90

SHA512
a51082cc7b941dd1936c48af6f797afc7861099d098eff23b99ce9b7112788a5d001eed01bfb8c486eb902d116ff973d058a1d52226025bb604a458b2c6bbd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w06mJ70.exe
Filesize
318KB

MD5
621fd70c42711505fbc87e4be7709438

SHA1
c817901380694dbed649fb5a2803dae56db44656

SHA256
0c0d4dfa1a3916d65f75acca2450351a2eb0e537a996cc48c9f867a631998768

SHA512
bcbbfad26c51a8d417417fc7f8c586486d2f5e1392339af42903f0402b722273df568b292452b395f2de4787e22ea331f829bbed451064ba52dfed0132d8ee74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w06mJ70.exe
Filesize
318KB

MD5
621fd70c42711505fbc87e4be7709438

SHA1
c817901380694dbed649fb5a2803dae56db44656

SHA256
0c0d4dfa1a3916d65f75acca2450351a2eb0e537a996cc48c9f867a631998768

SHA512
bcbbfad26c51a8d417417fc7f8c586486d2f5e1392339af42903f0402b722273df568b292452b395f2de4787e22ea331f829bbed451064ba52dfed0132d8ee74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2383.exe
Filesize
333KB

MD5
b69f4d328633880d542384cddf619da1

SHA1
59a67b4d62a1a5edf1d281c84d6d30f28364f9fd

SHA256
09a861d2bda1c87bc3be0cabb19703c6f1b9a8f0f3509047db11f8add6ebee97

SHA512
560f7f0950dd240903a65f576b87c76c4adc9566818848e546167b2697dd46199846ebdea22499619d645deeb8d3440fc62507c24284e3c8ac3c246097ced57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2383.exe
Filesize
333KB

MD5
b69f4d328633880d542384cddf619da1

SHA1
59a67b4d62a1a5edf1d281c84d6d30f28364f9fd

SHA256
09a861d2bda1c87bc3be0cabb19703c6f1b9a8f0f3509047db11f8add6ebee97

SHA512
560f7f0950dd240903a65f576b87c76c4adc9566818848e546167b2697dd46199846ebdea22499619d645deeb8d3440fc62507c24284e3c8ac3c246097ced57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6220.exe
Filesize
11KB

MD5
7b9f50e47935f74cf8a306148a878060

SHA1
5a010c417b51f4ec26d895ca2e268d1951314e60

SHA256
fed970b41c656be27189e3e2ec201fd144d8e5e1110f884f4ae4fc824ec565b7

SHA512
9181790ff2ce97932e7b4cdf648ebdd1903531ec4718bbfb8cbed7e81335e8556b3308b34af57050fd63884f7209d44888ffd6dee2ed7ac87099e82943b12439

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6220.exe
Filesize
11KB

MD5
7b9f50e47935f74cf8a306148a878060

SHA1
5a010c417b51f4ec26d895ca2e268d1951314e60

SHA256
fed970b41c656be27189e3e2ec201fd144d8e5e1110f884f4ae4fc824ec565b7

SHA512
9181790ff2ce97932e7b4cdf648ebdd1903531ec4718bbfb8cbed7e81335e8556b3308b34af57050fd63884f7209d44888ffd6dee2ed7ac87099e82943b12439

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7998vl.exe
Filesize
259KB

MD5
5a009024dcf752d51347d57968a55a9c

SHA1
ae79bb422f1d93a583ef2895a664a5f460015353

SHA256
d6494ce401a44aa6e477ac2dc7f2c886afe10714e5b4dbde86f012faedbfd4ae

SHA512
f3ba29e276a06a572dbbc8ca21e0e0ed2c8867e35bd50ad9b1e50884105e9b721998c3834d95cc54ab9e9f221a54d66a4b732d7a58ae9d8ce48ef22f916598b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7998vl.exe
Filesize
259KB

MD5
5a009024dcf752d51347d57968a55a9c

SHA1
ae79bb422f1d93a583ef2895a664a5f460015353

SHA256
d6494ce401a44aa6e477ac2dc7f2c886afe10714e5b4dbde86f012faedbfd4ae

SHA512
f3ba29e276a06a572dbbc8ca21e0e0ed2c8867e35bd50ad9b1e50884105e9b721998c3834d95cc54ab9e9f221a54d66a4b732d7a58ae9d8ce48ef22f916598b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
29c97918109fbcd62b0891c7a882116d

SHA1
55a22ff0220e7bbaa8c23f61a2abce059a0243fc

SHA256
94a624eedee8fa98ef1fb732924c8b1a0190617403aa9a65c7894a8260f51418

SHA512
95564dac9f407b7e42fe4c9c1af38f07cbcd3543d393c2c29935c8db531a6300f38976b0f19746b13b6f05edd5ac63b41a0cc7182148dbbfbdf5306f1d46eb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
29c97918109fbcd62b0891c7a882116d

SHA1
55a22ff0220e7bbaa8c23f61a2abce059a0243fc

SHA256
94a624eedee8fa98ef1fb732924c8b1a0190617403aa9a65c7894a8260f51418

SHA512
95564dac9f407b7e42fe4c9c1af38f07cbcd3543d393c2c29935c8db531a6300f38976b0f19746b13b6f05edd5ac63b41a0cc7182148dbbfbdf5306f1d46eb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
29c97918109fbcd62b0891c7a882116d

SHA1
55a22ff0220e7bbaa8c23f61a2abce059a0243fc

SHA256
94a624eedee8fa98ef1fb732924c8b1a0190617403aa9a65c7894a8260f51418

SHA512
95564dac9f407b7e42fe4c9c1af38f07cbcd3543d393c2c29935c8db531a6300f38976b0f19746b13b6f05edd5ac63b41a0cc7182148dbbfbdf5306f1d46eb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
29c97918109fbcd62b0891c7a882116d

SHA1
55a22ff0220e7bbaa8c23f61a2abce059a0243fc

SHA256
94a624eedee8fa98ef1fb732924c8b1a0190617403aa9a65c7894a8260f51418

SHA512
95564dac9f407b7e42fe4c9c1af38f07cbcd3543d393c2c29935c8db531a6300f38976b0f19746b13b6f05edd5ac63b41a0cc7182148dbbfbdf5306f1d46eb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
29c97918109fbcd62b0891c7a882116d

SHA1
55a22ff0220e7bbaa8c23f61a2abce059a0243fc

SHA256
94a624eedee8fa98ef1fb732924c8b1a0190617403aa9a65c7894a8260f51418

SHA512
95564dac9f407b7e42fe4c9c1af38f07cbcd3543d393c2c29935c8db531a6300f38976b0f19746b13b6f05edd5ac63b41a0cc7182148dbbfbdf5306f1d46eb86

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1260-167-0x0000000004DD0000-0x0000000005374000-memory.dmp

Filesize
5.6MB

Download
memory/1260-183-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-189-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-191-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-193-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-195-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-197-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-199-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1260-201-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1260-202-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1260-203-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1260-205-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1260-168-0x0000000000610000-0x000000000063D000-memory.dmp

Filesize
180KB

Download
memory/1260-185-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-187-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-181-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-179-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-177-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-175-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-173-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-172-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1260-171-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1260-169-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1260-170-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1404-161-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2856-1142-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2856-1141-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2856-1140-0x00000000003A0000-0x00000000003D2000-memory.dmp

Filesize
200KB

Download
memory/3424-220-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-239-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-241-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-243-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-245-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-1120-0x0000000005130000-0x0000000005748000-memory.dmp

Filesize
6.1MB

Download
memory/3424-1121-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/3424-1122-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/3424-1123-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/3424-1124-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3424-1126-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3424-1127-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3424-1128-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/3424-1129-0x0000000006270000-0x0000000006302000-memory.dmp

Filesize
584KB

Download
memory/3424-1130-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3424-1131-0x0000000006470000-0x0000000006632000-memory.dmp

Filesize
1.8MB

Download
memory/3424-1132-0x0000000006650000-0x0000000006B7C000-memory.dmp

Filesize
5.2MB

Download
memory/3424-1133-0x0000000006CD0000-0x0000000006D46000-memory.dmp

Filesize
472KB

Download
memory/3424-237-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-235-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-233-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-232-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3424-228-0x0000000002130000-0x000000000217B000-memory.dmp

Filesize
300KB

Download
memory/3424-230-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3424-229-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-226-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-224-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-222-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-218-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-216-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-214-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-212-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-211-0x0000000002550000-0x000000000258F000-memory.dmp

Filesize
252KB

Download
memory/3424-1134-0x0000000006D50000-0x0000000006DA0000-memory.dmp

Filesize
320KB

Download