amadey | 3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exe
Size

1000KB
MD5

63b0a5dc6fa69123e04edf75740bd3ef
SHA1

1689277de3bbc7fc36f60ce8c79d11fe26fef55c
SHA256

3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c
SHA512

df638ed10b6c389399bb244219d0e1f1c56e581cfc154231f38990783969fc36917279b9faa0ca1db9111544e4bda9e8304ef05fec26a218aa3ef877844fef57
SSDEEP

24576:9ys5VRJWj24NfhiiSJPqUxHiMKoctzwxo1asbTLI:Y67aJNfciSPqUx0Bwxo1asb

Score

10^/10

amadey laplas redline lift rosn clipper discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v4871qF.exetz9537.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4871qF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4871qF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4871qF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz9537.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz9537.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz9537.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz9537.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v4871qF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4871qF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4871qF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz9537.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz9537.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1532-211-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-212-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-214-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-216-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-218-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-220-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-222-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-224-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-226-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-228-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-230-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-232-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-234-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-236-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-238-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-240-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline
behavioral1/memory/1532-242-0x0000000002500000-0x000000000253F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y43Kl46.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	y43Kl46.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap3208.exezap3224.exezap8211.exetz9537.exev4871qF.exew22jk28.exexJmaY42.exey43Kl46.exeoneetx.exesvhosts.exentlhost.exe

pid	process
1564	zap3208.exe
652	zap3224.exe
368	zap8211.exe
4784	tz9537.exe
5036	v4871qF.exe
1532	w22jk28.exe
1132	xJmaY42.exe
4644	y43Kl46.exe
2712	oneetx.exe
4296	svhosts.exe
1880	ntlhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz9537.exev4871qF.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz9537.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v4871qF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4871qF.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap3208.exezap3224.exe3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exezap8211.exesvhosts.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3208.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3224.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap3208.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8211.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8211.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	svhosts.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1752 5036 WerFault.exe v4871qF.exe
1128 1532 WerFault.exe w22jk28.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

976 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 39 Go-http-client/1.1
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz9537.exev4871qF.exew22jk28.exexJmaY42.exe

pid process

4784 tz9537.exe
4784 tz9537.exe
5036 v4871qF.exe
5036 v4871qF.exe
1532 w22jk28.exe
1532 w22jk28.exe
1132 xJmaY42.exe
1132 xJmaY42.exe

pid	pid_target	process	target process
1752	5036	WerFault.exe	v4871qF.exe
1128	1532	WerFault.exe	w22jk28.exe

pid	process
976	schtasks.exe

description	flow	ioc
HTTP User-Agent header	39	Go-http-client/1.1

pid	process
4784	tz9537.exe
4784	tz9537.exe
5036	v4871qF.exe
5036	v4871qF.exe
1532	w22jk28.exe
1532	w22jk28.exe
1132	xJmaY42.exe
1132	xJmaY42.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz9537.exev4871qF.exew22jk28.exexJmaY42.exe

description	pid	process
Token: SeDebugPrivilege	4784	tz9537.exe
Token: SeDebugPrivilege	5036	v4871qF.exe
Token: SeDebugPrivilege	1532	w22jk28.exe
Token: SeDebugPrivilege	1132	xJmaY42.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y43Kl46.exe

pid process

4644 y43Kl46.exe

pid	process
4644	y43Kl46.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exezap3208.exezap3224.exezap8211.exey43Kl46.exeoneetx.execmd.exesvhosts.exe

description	pid	process	target process
PID 1604 wrote to memory of 1564	1604	3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exe	zap3208.exe
PID 1604 wrote to memory of 1564	1604	3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exe	zap3208.exe
PID 1604 wrote to memory of 1564	1604	3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exe	zap3208.exe
PID 1564 wrote to memory of 652	1564	zap3208.exe	zap3224.exe
PID 1564 wrote to memory of 652	1564	zap3208.exe	zap3224.exe
PID 1564 wrote to memory of 652	1564	zap3208.exe	zap3224.exe
PID 652 wrote to memory of 368	652	zap3224.exe	zap8211.exe
PID 652 wrote to memory of 368	652	zap3224.exe	zap8211.exe
PID 652 wrote to memory of 368	652	zap3224.exe	zap8211.exe
PID 368 wrote to memory of 4784	368	zap8211.exe	tz9537.exe
PID 368 wrote to memory of 4784	368	zap8211.exe	tz9537.exe
PID 368 wrote to memory of 5036	368	zap8211.exe	v4871qF.exe
PID 368 wrote to memory of 5036	368	zap8211.exe	v4871qF.exe
PID 368 wrote to memory of 5036	368	zap8211.exe	v4871qF.exe
PID 652 wrote to memory of 1532	652	zap3224.exe	w22jk28.exe
PID 652 wrote to memory of 1532	652	zap3224.exe	w22jk28.exe
PID 652 wrote to memory of 1532	652	zap3224.exe	w22jk28.exe
PID 1564 wrote to memory of 1132	1564	zap3208.exe	xJmaY42.exe
PID 1564 wrote to memory of 1132	1564	zap3208.exe	xJmaY42.exe
PID 1564 wrote to memory of 1132	1564	zap3208.exe	xJmaY42.exe
PID 1604 wrote to memory of 4644	1604	3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exe	y43Kl46.exe
PID 1604 wrote to memory of 4644	1604	3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exe	y43Kl46.exe
PID 1604 wrote to memory of 4644	1604	3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exe	y43Kl46.exe
PID 4644 wrote to memory of 2712	4644	y43Kl46.exe	oneetx.exe
PID 4644 wrote to memory of 2712	4644	y43Kl46.exe	oneetx.exe
PID 4644 wrote to memory of 2712	4644	y43Kl46.exe	oneetx.exe
PID 2712 wrote to memory of 976	2712	oneetx.exe	schtasks.exe
PID 2712 wrote to memory of 976	2712	oneetx.exe	schtasks.exe
PID 2712 wrote to memory of 976	2712	oneetx.exe	schtasks.exe
PID 2712 wrote to memory of 4468	2712	oneetx.exe	cmd.exe
PID 2712 wrote to memory of 4468	2712	oneetx.exe	cmd.exe
PID 2712 wrote to memory of 4468	2712	oneetx.exe	cmd.exe
PID 4468 wrote to memory of 4132	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 4132	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 4132	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 4836	4468	cmd.exe	cacls.exe
PID 4468 wrote to memory of 4836	4468	cmd.exe	cacls.exe
PID 4468 wrote to memory of 4836	4468	cmd.exe	cacls.exe
PID 4468 wrote to memory of 2972	4468	cmd.exe	cacls.exe
PID 4468 wrote to memory of 2972	4468	cmd.exe	cacls.exe
PID 4468 wrote to memory of 2972	4468	cmd.exe	cacls.exe
PID 4468 wrote to memory of 3220	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 3220	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 3220	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 3572	4468	cmd.exe	cacls.exe
PID 4468 wrote to memory of 3572	4468	cmd.exe	cacls.exe
PID 4468 wrote to memory of 3572	4468	cmd.exe	cacls.exe
PID 4468 wrote to memory of 1600	4468	cmd.exe	cacls.exe
PID 4468 wrote to memory of 1600	4468	cmd.exe	cacls.exe
PID 4468 wrote to memory of 1600	4468	cmd.exe	cacls.exe
PID 2712 wrote to memory of 4296	2712	oneetx.exe	svhosts.exe
PID 2712 wrote to memory of 4296	2712	oneetx.exe	svhosts.exe
PID 2712 wrote to memory of 4296	2712	oneetx.exe	svhosts.exe
PID 4296 wrote to memory of 1880	4296	svhosts.exe	ntlhost.exe
PID 4296 wrote to memory of 1880	4296	svhosts.exe	ntlhost.exe
PID 4296 wrote to memory of 1880	4296	svhosts.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exe
"C:\Users\Admin\AppData\Local\Temp\3f4e2a8264cd778bdbdf2b5b8e2145d8610e3a3806a071ff48c91d358aa2682c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3208.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3208.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3224.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3224.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8211.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8211.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9537.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9537.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4871qF.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4871qF.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1080
6⤵
- Program crash
PID:1752

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22jk28.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22jk28.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1328
5⤵
- Program crash
PID:1128

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xJmaY42.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xJmaY42.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y43Kl46.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y43Kl46.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4644

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4132

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:4836

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3220

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:3572

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe
"C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
5⤵
- Executes dropped EXE
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5036 -ip 5036
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1532 -ip 1532
1⤵
PID:3764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe
Filesize
1.8MB

MD5
0a935300ad790ad8d03666b1f14e73a4

SHA1
57bf66e15b0cbf325ce66d4c9d5592088a1a8e00

SHA256
9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12

SHA512
64e7c5e9b0c301a2b4a87dc0189fa55bc7c8690d9148382fd237851348a977376a9772c232f6a898417e92e739add1410d3f143f93547eb99c57fa064ce78096

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe
Filesize
1.8MB

MD5
0a935300ad790ad8d03666b1f14e73a4

SHA1
57bf66e15b0cbf325ce66d4c9d5592088a1a8e00

SHA256
9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12

SHA512
64e7c5e9b0c301a2b4a87dc0189fa55bc7c8690d9148382fd237851348a977376a9772c232f6a898417e92e739add1410d3f143f93547eb99c57fa064ce78096

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe
Filesize
1.8MB

MD5
0a935300ad790ad8d03666b1f14e73a4

SHA1
57bf66e15b0cbf325ce66d4c9d5592088a1a8e00

SHA256
9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12

SHA512
64e7c5e9b0c301a2b4a87dc0189fa55bc7c8690d9148382fd237851348a977376a9772c232f6a898417e92e739add1410d3f143f93547eb99c57fa064ce78096

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y43Kl46.exe
Filesize
236KB

MD5
b5b6e1eeb6b12a63b5c8a9e5bd46661b

SHA1
ff5623ae8683e77a0e6d1fa97b88bab91ee8aad7

SHA256
05c1f00b2c48ddd9116f08d8603620bca3b08309a1463b6dfa79fbeebb278425

SHA512
efa135344acfb5582cb411abaee4cb55914f1e6860aa616bd75ccaa53515b9f835ca88d513345243ad1a89f8f053792694df5a882eefccc2d63f8ea7ffc694ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y43Kl46.exe
Filesize
236KB

MD5
b5b6e1eeb6b12a63b5c8a9e5bd46661b

SHA1
ff5623ae8683e77a0e6d1fa97b88bab91ee8aad7

SHA256
05c1f00b2c48ddd9116f08d8603620bca3b08309a1463b6dfa79fbeebb278425

SHA512
efa135344acfb5582cb411abaee4cb55914f1e6860aa616bd75ccaa53515b9f835ca88d513345243ad1a89f8f053792694df5a882eefccc2d63f8ea7ffc694ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3208.exe
Filesize
816KB

MD5
220fa93d5af1f8cf7d1f2abce6c09faf

SHA1
d59b4d3832781b695e61e6f73e7f90e57e925eff

SHA256
6a53a1ecab93da34d7e13e8e1f81652df548df3b53ec2a5e9258d4cdad0dd6b3

SHA512
46cc76ad53197c39d7f49984941a8183bf3425403bd7a65b18bdf35ec944fd215be902c9536e52db3b226e22c3199991ececaa048d2462f2ad5f4b93eb7c26ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3208.exe
Filesize
816KB

MD5
220fa93d5af1f8cf7d1f2abce6c09faf

SHA1
d59b4d3832781b695e61e6f73e7f90e57e925eff

SHA256
6a53a1ecab93da34d7e13e8e1f81652df548df3b53ec2a5e9258d4cdad0dd6b3

SHA512
46cc76ad53197c39d7f49984941a8183bf3425403bd7a65b18bdf35ec944fd215be902c9536e52db3b226e22c3199991ececaa048d2462f2ad5f4b93eb7c26ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xJmaY42.exe
Filesize
175KB

MD5
5f515f29d3bbebae022e0ea679fe8e03

SHA1
3ec2e2617632dea33b3d2e97f4b13a6f8632f680

SHA256
908f4fd78a193c105adbd88e214bc7c0681a0b3cf3d1f9854df2ffda88d8992c

SHA512
ab471491f0dc064796c86920dab579c4e2213dd1f3b54f60163da45da25481b907f1e321c78797e0e97b30faa867d7380ffc3db797d93a20c250e6f2ce5826ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xJmaY42.exe
Filesize
175KB

MD5
5f515f29d3bbebae022e0ea679fe8e03

SHA1
3ec2e2617632dea33b3d2e97f4b13a6f8632f680

SHA256
908f4fd78a193c105adbd88e214bc7c0681a0b3cf3d1f9854df2ffda88d8992c

SHA512
ab471491f0dc064796c86920dab579c4e2213dd1f3b54f60163da45da25481b907f1e321c78797e0e97b30faa867d7380ffc3db797d93a20c250e6f2ce5826ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3224.exe
Filesize
674KB

MD5
2b70dbcd1d009c31f34524a2f4c935b4

SHA1
6882f5ad7c6b404950fe02a7f3b5168bbf3c5478

SHA256
4729b813d82df18c359a1d181c376a9b1feb1fb3fce1d346fe79675dcbfd5d0b

SHA512
211fa52acb61d3d12996014f79e8511c58d5579d531f77523237320d46c644323bf7a6b00506a96133a3efca7c3e69e19a59e1aeaca797541d3d2ac72f8d5bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3224.exe
Filesize
674KB

MD5
2b70dbcd1d009c31f34524a2f4c935b4

SHA1
6882f5ad7c6b404950fe02a7f3b5168bbf3c5478

SHA256
4729b813d82df18c359a1d181c376a9b1feb1fb3fce1d346fe79675dcbfd5d0b

SHA512
211fa52acb61d3d12996014f79e8511c58d5579d531f77523237320d46c644323bf7a6b00506a96133a3efca7c3e69e19a59e1aeaca797541d3d2ac72f8d5bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22jk28.exe
Filesize
318KB

MD5
f69a45ecf5fc7bab7f1015715ea4036d

SHA1
4cbb3aa2f26c910a622ecfebea91edcde39c4801

SHA256
88a3c18d86a3c54e78fe579d45c1dfea7ade605ca18e00582167218b8dd18309

SHA512
66b2b319ee3384145063d9474d762b8fdef7171b9e1ffcab99813c5958e89e16d3bde2c331a9f4b514206ea8015cf6041a71f6a8a95ac1f2ba80a2dd03cbd8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22jk28.exe
Filesize
318KB

MD5
f69a45ecf5fc7bab7f1015715ea4036d

SHA1
4cbb3aa2f26c910a622ecfebea91edcde39c4801

SHA256
88a3c18d86a3c54e78fe579d45c1dfea7ade605ca18e00582167218b8dd18309

SHA512
66b2b319ee3384145063d9474d762b8fdef7171b9e1ffcab99813c5958e89e16d3bde2c331a9f4b514206ea8015cf6041a71f6a8a95ac1f2ba80a2dd03cbd8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8211.exe
Filesize
333KB

MD5
7a26cb7189705b556cb8ae1a43ac1734

SHA1
e9963c328548771e430605e72ae3de967e495385

SHA256
1b264d3b15e91357e6b334f09703d9f8b020fb90c1c65c37d98b82337f318540

SHA512
43fc34fbe121fcc5f5daacbd1c6a6fe43b972a7ac0489fb368d323da877d056d0b5d51fe2770ad78e218a1e0c1283277780ba7e0ed0782e0dd5561e74c463aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8211.exe
Filesize
333KB

MD5
7a26cb7189705b556cb8ae1a43ac1734

SHA1
e9963c328548771e430605e72ae3de967e495385

SHA256
1b264d3b15e91357e6b334f09703d9f8b020fb90c1c65c37d98b82337f318540

SHA512
43fc34fbe121fcc5f5daacbd1c6a6fe43b972a7ac0489fb368d323da877d056d0b5d51fe2770ad78e218a1e0c1283277780ba7e0ed0782e0dd5561e74c463aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9537.exe
Filesize
11KB

MD5
7f66ea9f02b433761d60bfbf7a592c22

SHA1
642f842216b4d4e3e17747ad4d23692dc402358e

SHA256
c9e7cb695a217d63ed7b5aadc79a244c9d5c2a278ab70af9210aed9bb5115ec8

SHA512
fb51d9734f71808021cb9f171a9d1b79a138542db05bbf5d70582ffaa199a6d3adba924450bf1919b6f6a2286f3b14a945e3f2146f24be1905ef07a2f30fa494

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9537.exe
Filesize
11KB

MD5
7f66ea9f02b433761d60bfbf7a592c22

SHA1
642f842216b4d4e3e17747ad4d23692dc402358e

SHA256
c9e7cb695a217d63ed7b5aadc79a244c9d5c2a278ab70af9210aed9bb5115ec8

SHA512
fb51d9734f71808021cb9f171a9d1b79a138542db05bbf5d70582ffaa199a6d3adba924450bf1919b6f6a2286f3b14a945e3f2146f24be1905ef07a2f30fa494

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4871qF.exe
Filesize
259KB

MD5
39c0a13edede92f38fb51ddcf6335a70

SHA1
944ee7c03b1fb777d5f17c3077b4b54d06d69488

SHA256
8f41d24c4320e30b6542d0573e39e77635094ff9f42745b067f2027014f853d9

SHA512
01f9e348ee49c3accc62178a8e5fd810ca14fe9373cab39b8a327e328ca7162a2748a773088ebec07eef485b848d676dfa766c153a531e8c9b5bb2d85793460e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4871qF.exe
Filesize
259KB

MD5
39c0a13edede92f38fb51ddcf6335a70

SHA1
944ee7c03b1fb777d5f17c3077b4b54d06d69488

SHA256
8f41d24c4320e30b6542d0573e39e77635094ff9f42745b067f2027014f853d9

SHA512
01f9e348ee49c3accc62178a8e5fd810ca14fe9373cab39b8a327e328ca7162a2748a773088ebec07eef485b848d676dfa766c153a531e8c9b5bb2d85793460e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
b5b6e1eeb6b12a63b5c8a9e5bd46661b

SHA1
ff5623ae8683e77a0e6d1fa97b88bab91ee8aad7

SHA256
05c1f00b2c48ddd9116f08d8603620bca3b08309a1463b6dfa79fbeebb278425

SHA512
efa135344acfb5582cb411abaee4cb55914f1e6860aa616bd75ccaa53515b9f835ca88d513345243ad1a89f8f053792694df5a882eefccc2d63f8ea7ffc694ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
b5b6e1eeb6b12a63b5c8a9e5bd46661b

SHA1
ff5623ae8683e77a0e6d1fa97b88bab91ee8aad7

SHA256
05c1f00b2c48ddd9116f08d8603620bca3b08309a1463b6dfa79fbeebb278425

SHA512
efa135344acfb5582cb411abaee4cb55914f1e6860aa616bd75ccaa53515b9f835ca88d513345243ad1a89f8f053792694df5a882eefccc2d63f8ea7ffc694ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
b5b6e1eeb6b12a63b5c8a9e5bd46661b

SHA1
ff5623ae8683e77a0e6d1fa97b88bab91ee8aad7

SHA256
05c1f00b2c48ddd9116f08d8603620bca3b08309a1463b6dfa79fbeebb278425

SHA512
efa135344acfb5582cb411abaee4cb55914f1e6860aa616bd75ccaa53515b9f835ca88d513345243ad1a89f8f053792694df5a882eefccc2d63f8ea7ffc694ad

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
26.5MB

MD5
c6252a81051625373a03cdfb03f3a392

SHA1
e208eaca6044792a60008f01be5635b51c900604

SHA256
bbd9cf52084d569e0875c689b47b2f63a811d66d71988fdc89643f7bea8e3903

SHA512
77df6705c3e709252d74f90a667b3fba4eae82c28708a55e0d72e3b13772adc8c3530005cc42e72bc1bf0f20995b060cb6836a7c9684723be97969dab0ad7f12

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
22.6MB

MD5
1375339d0f3bc7ac2cc7ef2a720491fb

SHA1
445e2c5dc4074e0df50e1eebd000d5d220185c9d

SHA256
4d546ec81fd91ed9713acb2c718c8b1aac6cc5c85b08703b402b0685a26ec394

SHA512
eae2b39ea27eb0044e0d2f6fbaafda6aca485edd05e87c067a73ad710edcaefe8da551969776b5834bda8de5fddc550fd4fcd9707120ba532666d953b0df092b

Download Submit
memory/1132-1144-0x0000000000570000-0x00000000005A2000-memory.dmp

Filesize
200KB

Download
memory/1132-1145-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/1532-1129-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1532-306-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1532-1137-0x0000000006FC0000-0x0000000007010000-memory.dmp

Filesize
320KB

Download
memory/1532-1136-0x0000000006F30000-0x0000000006FA6000-memory.dmp

Filesize
472KB

Download
memory/1532-1134-0x0000000006690000-0x0000000006BBC000-memory.dmp

Filesize
5.2MB

Download
memory/1532-1133-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1532-1132-0x00000000064C0000-0x0000000006682000-memory.dmp

Filesize
1.8MB

Download
memory/1532-1131-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1532-1130-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1532-1128-0x00000000063C0000-0x0000000006452000-memory.dmp

Filesize
584KB

Download
memory/1532-1127-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/1532-1125-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1532-211-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-212-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-214-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-216-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-218-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-220-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-222-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-224-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-226-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-228-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-230-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-232-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-234-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-236-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-238-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-240-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-242-0x0000000002500000-0x000000000253F000-memory.dmp

Filesize
252KB

Download
memory/1532-302-0x0000000000610000-0x000000000065B000-memory.dmp

Filesize
300KB

Download
memory/1532-304-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1532-1124-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/1532-308-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1532-1121-0x00000000052D0000-0x00000000058E8000-memory.dmp

Filesize
6.1MB

Download
memory/1532-1122-0x00000000058F0000-0x00000000059FA000-memory.dmp

Filesize
1.0MB

Download
memory/1532-1123-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/4296-1180-0x0000000002720000-0x0000000002AF0000-memory.dmp

Filesize
3.8MB

Download
memory/4784-161-0x0000000000E30000-0x0000000000E3A000-memory.dmp

Filesize
40KB

Download
memory/5036-185-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-202-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5036-181-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-203-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5036-179-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-201-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5036-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/5036-177-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-197-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-195-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-193-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-183-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-187-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-205-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/5036-199-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-175-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-173-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-172-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-168-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5036-171-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5036-169-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5036-170-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/5036-191-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/5036-167-0x0000000002110000-0x000000000213D000-memory.dmp

Filesize
180KB

Download
memory/5036-189-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download