amadey | 6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe

Analysis

max time kernel
145s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exe
Size

1000KB
MD5

8790773c47af7c35684c981dcc14f623
SHA1

a0dafca2016ac07cacbeb4688bffe16864f0e09e
SHA256

6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe
SHA512

0049ef894c49afee24efecc1a43d7c29795e900cce0dbedaec3d5aac009ef3812b2a82e4cca11534b14d58cfbe89f2e66f697f4f971865a8366657b3ef563adf
SSDEEP

24576:QyTNMSI7dFTfUozV6e+nYoHYM+QK1rcVQPlMyBT3:XxMSYHjUozVonJNlK1gVLuT

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz1868.exev0493Fv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0493Fv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0493Fv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1868.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0493Fv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0493Fv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0493Fv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0493Fv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz1868.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4108-210-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-209-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-212-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-214-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-216-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-218-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-220-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-222-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-224-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-226-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-228-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-230-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-232-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-234-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-236-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-238-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-240-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/4108-244-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oneetx.exey35jA31.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y35jA31.exe

Executes dropped EXE 11 IoCs

Processes:

zap7036.exezap1505.exezap0653.exetz1868.exev0493Fv.exew13lf61.exexmnPT58.exey35jA31.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
5060	zap7036.exe
4792	zap1505.exe
540	zap0653.exe
3676	tz1868.exe
1956	v0493Fv.exe
4108	w13lf61.exe
1364	xmnPT58.exe
2168	y35jA31.exe
3484	oneetx.exe
3264	oneetx.exe
4628	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3184 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3184	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz1868.exev0493Fv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1868.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0493Fv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0493Fv.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap1505.exezap0653.exe6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exezap7036.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1505.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1505.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0653.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap0653.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7036.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7036.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4788 1956 WerFault.exe v0493Fv.exe
1884 4108 WerFault.exe w13lf61.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4592 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz1868.exev0493Fv.exew13lf61.exexmnPT58.exe

pid process

3676 tz1868.exe
3676 tz1868.exe
1956 v0493Fv.exe
1956 v0493Fv.exe
4108 w13lf61.exe
4108 w13lf61.exe
1364 xmnPT58.exe
1364 xmnPT58.exe

pid	pid_target	process	target process
4788	1956	WerFault.exe	v0493Fv.exe
1884	4108	WerFault.exe	w13lf61.exe

pid	process
4592	schtasks.exe

pid	process
3676	tz1868.exe
3676	tz1868.exe
1956	v0493Fv.exe
1956	v0493Fv.exe
4108	w13lf61.exe
4108	w13lf61.exe
1364	xmnPT58.exe
1364	xmnPT58.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz1868.exev0493Fv.exew13lf61.exexmnPT58.exe

description	pid	process
Token: SeDebugPrivilege	3676	tz1868.exe
Token: SeDebugPrivilege	1956	v0493Fv.exe
Token: SeDebugPrivilege	4108	w13lf61.exe
Token: SeDebugPrivilege	1364	xmnPT58.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y35jA31.exe

pid process

2168 y35jA31.exe

pid	process
2168	y35jA31.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exezap7036.exezap1505.exezap0653.exey35jA31.exeoneetx.execmd.exe

description	pid	process	target process
PID 3304 wrote to memory of 5060	3304	6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exe	zap7036.exe
PID 3304 wrote to memory of 5060	3304	6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exe	zap7036.exe
PID 3304 wrote to memory of 5060	3304	6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exe	zap7036.exe
PID 5060 wrote to memory of 4792	5060	zap7036.exe	zap1505.exe
PID 5060 wrote to memory of 4792	5060	zap7036.exe	zap1505.exe
PID 5060 wrote to memory of 4792	5060	zap7036.exe	zap1505.exe
PID 4792 wrote to memory of 540	4792	zap1505.exe	zap0653.exe
PID 4792 wrote to memory of 540	4792	zap1505.exe	zap0653.exe
PID 4792 wrote to memory of 540	4792	zap1505.exe	zap0653.exe
PID 540 wrote to memory of 3676	540	zap0653.exe	tz1868.exe
PID 540 wrote to memory of 3676	540	zap0653.exe	tz1868.exe
PID 540 wrote to memory of 1956	540	zap0653.exe	v0493Fv.exe
PID 540 wrote to memory of 1956	540	zap0653.exe	v0493Fv.exe
PID 540 wrote to memory of 1956	540	zap0653.exe	v0493Fv.exe
PID 4792 wrote to memory of 4108	4792	zap1505.exe	w13lf61.exe
PID 4792 wrote to memory of 4108	4792	zap1505.exe	w13lf61.exe
PID 4792 wrote to memory of 4108	4792	zap1505.exe	w13lf61.exe
PID 5060 wrote to memory of 1364	5060	zap7036.exe	xmnPT58.exe
PID 5060 wrote to memory of 1364	5060	zap7036.exe	xmnPT58.exe
PID 5060 wrote to memory of 1364	5060	zap7036.exe	xmnPT58.exe
PID 3304 wrote to memory of 2168	3304	6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exe	y35jA31.exe
PID 3304 wrote to memory of 2168	3304	6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exe	y35jA31.exe
PID 3304 wrote to memory of 2168	3304	6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exe	y35jA31.exe
PID 2168 wrote to memory of 3484	2168	y35jA31.exe	oneetx.exe
PID 2168 wrote to memory of 3484	2168	y35jA31.exe	oneetx.exe
PID 2168 wrote to memory of 3484	2168	y35jA31.exe	oneetx.exe
PID 3484 wrote to memory of 4592	3484	oneetx.exe	schtasks.exe
PID 3484 wrote to memory of 4592	3484	oneetx.exe	schtasks.exe
PID 3484 wrote to memory of 4592	3484	oneetx.exe	schtasks.exe
PID 3484 wrote to memory of 812	3484	oneetx.exe	cmd.exe
PID 3484 wrote to memory of 812	3484	oneetx.exe	cmd.exe
PID 3484 wrote to memory of 812	3484	oneetx.exe	cmd.exe
PID 812 wrote to memory of 3232	812	cmd.exe	cmd.exe
PID 812 wrote to memory of 3232	812	cmd.exe	cmd.exe
PID 812 wrote to memory of 3232	812	cmd.exe	cmd.exe
PID 812 wrote to memory of 1316	812	cmd.exe	cacls.exe
PID 812 wrote to memory of 1316	812	cmd.exe	cacls.exe
PID 812 wrote to memory of 1316	812	cmd.exe	cacls.exe
PID 812 wrote to memory of 2820	812	cmd.exe	cacls.exe
PID 812 wrote to memory of 2820	812	cmd.exe	cacls.exe
PID 812 wrote to memory of 2820	812	cmd.exe	cacls.exe
PID 812 wrote to memory of 5016	812	cmd.exe	cmd.exe
PID 812 wrote to memory of 5016	812	cmd.exe	cmd.exe
PID 812 wrote to memory of 5016	812	cmd.exe	cmd.exe
PID 812 wrote to memory of 1276	812	cmd.exe	cacls.exe
PID 812 wrote to memory of 1276	812	cmd.exe	cacls.exe
PID 812 wrote to memory of 1276	812	cmd.exe	cacls.exe
PID 812 wrote to memory of 3432	812	cmd.exe	cacls.exe
PID 812 wrote to memory of 3432	812	cmd.exe	cacls.exe
PID 812 wrote to memory of 3432	812	cmd.exe	cacls.exe
PID 3484 wrote to memory of 3184	3484	oneetx.exe	rundll32.exe
PID 3484 wrote to memory of 3184	3484	oneetx.exe	rundll32.exe
PID 3484 wrote to memory of 3184	3484	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exe
"C:\Users\Admin\AppData\Local\Temp\6f8d80b1d76447959645d6bf70e50d9dad997025b1f2727f5036f8ff9c72edfe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7036.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7036.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1505.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1505.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0653.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0653.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1868.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1868.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0493Fv.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0493Fv.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1012
6⤵
- Program crash
PID:4788

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13lf61.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13lf61.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1540
5⤵
- Program crash
PID:1884

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xmnPT58.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xmnPT58.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y35jA31.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y35jA31.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:4592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3232

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:1316

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5016

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:1276

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:3432

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1956 -ip 1956
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4108 -ip 4108
1⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:4628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y35jA31.exe
Filesize
236KB

MD5
af1b6854569dffbdccd6e7dae7432708

SHA1
e4fc7bc772d3aaf3090ab27e04440555d1413c27

SHA256
99b1d71c1ce13ec6c3334e1f0616afa12cda0aadfb33292fe663acbb64ea7d2a

SHA512
2179b578e6feb749355845394442d1e242457ac826b4e2ab178c8982bdc8a1567bfc6d51cd2512f6c00121a69ad0b518a4a7d9ef440be56624dfd38f1fa1dc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y35jA31.exe
Filesize
236KB

MD5
af1b6854569dffbdccd6e7dae7432708

SHA1
e4fc7bc772d3aaf3090ab27e04440555d1413c27

SHA256
99b1d71c1ce13ec6c3334e1f0616afa12cda0aadfb33292fe663acbb64ea7d2a

SHA512
2179b578e6feb749355845394442d1e242457ac826b4e2ab178c8982bdc8a1567bfc6d51cd2512f6c00121a69ad0b518a4a7d9ef440be56624dfd38f1fa1dc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7036.exe
Filesize
816KB

MD5
1c3b8458ba39dcc27c968a14066de715

SHA1
a532413541b117e262e5091413673e5536866b13

SHA256
7f399f9793bca4cc40e83381350f38cd2b0c94d077a5614c8956031086752719

SHA512
b2171215a6224d9b50f0dc19ade90d456c310723594be66060a64896f1619e824fe795002b2e53cadb751b09d6152080d435f08931b410b16de33e3254fba8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7036.exe
Filesize
816KB

MD5
1c3b8458ba39dcc27c968a14066de715

SHA1
a532413541b117e262e5091413673e5536866b13

SHA256
7f399f9793bca4cc40e83381350f38cd2b0c94d077a5614c8956031086752719

SHA512
b2171215a6224d9b50f0dc19ade90d456c310723594be66060a64896f1619e824fe795002b2e53cadb751b09d6152080d435f08931b410b16de33e3254fba8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xmnPT58.exe
Filesize
175KB

MD5
62463085ea02059c3c18d81fc92029f8

SHA1
3d6c681385b39da23729b96960f40d9978504fda

SHA256
e9e4bcd766f82f9e99d4974e7ea59f9396b8d3f1e95d0fb97ea42d07e5a9f780

SHA512
36fbfdf0deef50034633cf9ff4989e650d95ed905c84e5fcff64c3d46782d593c414b7f40cb85bf2698989440158ce3bd179bd2bf45df7d332d9515eaa4df2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xmnPT58.exe
Filesize
175KB

MD5
62463085ea02059c3c18d81fc92029f8

SHA1
3d6c681385b39da23729b96960f40d9978504fda

SHA256
e9e4bcd766f82f9e99d4974e7ea59f9396b8d3f1e95d0fb97ea42d07e5a9f780

SHA512
36fbfdf0deef50034633cf9ff4989e650d95ed905c84e5fcff64c3d46782d593c414b7f40cb85bf2698989440158ce3bd179bd2bf45df7d332d9515eaa4df2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1505.exe
Filesize
674KB

MD5
c5e169549b8d006912a6662059de79cf

SHA1
457d622d4ef2b790dadf3cd997056a28b347e1ae

SHA256
53a12ec347b8b1244998033b1d33b34c430b7354f6d5c914988b2f24b3b17718

SHA512
a1c1b4986f0bb697843a55d0e29c880e8266390d72f2ee356384309428cc7d0cf5159cc1b75d11d2972fb42285fb0b50f5c4387b773d2b301e801592707590c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1505.exe
Filesize
674KB

MD5
c5e169549b8d006912a6662059de79cf

SHA1
457d622d4ef2b790dadf3cd997056a28b347e1ae

SHA256
53a12ec347b8b1244998033b1d33b34c430b7354f6d5c914988b2f24b3b17718

SHA512
a1c1b4986f0bb697843a55d0e29c880e8266390d72f2ee356384309428cc7d0cf5159cc1b75d11d2972fb42285fb0b50f5c4387b773d2b301e801592707590c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13lf61.exe
Filesize
318KB

MD5
548dc81688084a0ade488540a9047f78

SHA1
a782c92d3dde2b83dac69dbb3c63a26bf8b481b8

SHA256
1e94cd357691ad04f4f68dc877c0dbe5ddcfc4299c89098b322ba7c773336094

SHA512
81e9b7209d2d6f849279f500f268494aef481e91f0a70f8bb7a6d5622deb3799005152bbca95e503aec4644d39e6a8f8cb1a529fe01655c50762cfc34a54513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13lf61.exe
Filesize
318KB

MD5
548dc81688084a0ade488540a9047f78

SHA1
a782c92d3dde2b83dac69dbb3c63a26bf8b481b8

SHA256
1e94cd357691ad04f4f68dc877c0dbe5ddcfc4299c89098b322ba7c773336094

SHA512
81e9b7209d2d6f849279f500f268494aef481e91f0a70f8bb7a6d5622deb3799005152bbca95e503aec4644d39e6a8f8cb1a529fe01655c50762cfc34a54513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0653.exe
Filesize
333KB

MD5
213eb4690fb92647944ab58996a28dff

SHA1
6f9fc1955ff4a16863e688451c26cc51b687f51a

SHA256
88aa98b0ec8fb739bdcbbb7d098a2a054ad39c92a8bf2fab1082238dc2606045

SHA512
b1f863eb271feb44e325ceb4af260431c84cbf1234d6c7bbf08b2882c769864eb7382cabdc2fe4cd5dfb03887621ed40d69b990339f2490640b176e41ec47cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0653.exe
Filesize
333KB

MD5
213eb4690fb92647944ab58996a28dff

SHA1
6f9fc1955ff4a16863e688451c26cc51b687f51a

SHA256
88aa98b0ec8fb739bdcbbb7d098a2a054ad39c92a8bf2fab1082238dc2606045

SHA512
b1f863eb271feb44e325ceb4af260431c84cbf1234d6c7bbf08b2882c769864eb7382cabdc2fe4cd5dfb03887621ed40d69b990339f2490640b176e41ec47cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1868.exe
Filesize
11KB

MD5
137ed12595afcb8de0fff02bbade4d0b

SHA1
7927f8db64217ea7220f89bbc3c6e5b5a998d67c

SHA256
12361a9a85f3a1c201d85b9992d2805281494a9474113800293cd9c1609d13e1

SHA512
a03a8de388dccc4ea6b9c66de15e01301d6c7ab958a169bd0773029cc0e30bf41cc1c91bdc39a79fe7caebdf5e891621daeaf072006c80499ec2560ef0554f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1868.exe
Filesize
11KB

MD5
137ed12595afcb8de0fff02bbade4d0b

SHA1
7927f8db64217ea7220f89bbc3c6e5b5a998d67c

SHA256
12361a9a85f3a1c201d85b9992d2805281494a9474113800293cd9c1609d13e1

SHA512
a03a8de388dccc4ea6b9c66de15e01301d6c7ab958a169bd0773029cc0e30bf41cc1c91bdc39a79fe7caebdf5e891621daeaf072006c80499ec2560ef0554f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0493Fv.exe
Filesize
259KB

MD5
61deafb6de2f3dcaff97888173626ff3

SHA1
4967f41f2a959b830e1cd7d69d29ed7e79eddbc7

SHA256
19a53425b33b082deca94e151be3e22e55f86f7450dc518f7ce11d837520387e

SHA512
954748a4d6dffe639432ca80ef68af6942e309aa1aee0d848e95e71af2d0b0a05acd000fac3f32696857490df035d24547542bb73c1279bd9968b1a4166037f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0493Fv.exe
Filesize
259KB

MD5
61deafb6de2f3dcaff97888173626ff3

SHA1
4967f41f2a959b830e1cd7d69d29ed7e79eddbc7

SHA256
19a53425b33b082deca94e151be3e22e55f86f7450dc518f7ce11d837520387e

SHA512
954748a4d6dffe639432ca80ef68af6942e309aa1aee0d848e95e71af2d0b0a05acd000fac3f32696857490df035d24547542bb73c1279bd9968b1a4166037f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
af1b6854569dffbdccd6e7dae7432708

SHA1
e4fc7bc772d3aaf3090ab27e04440555d1413c27

SHA256
99b1d71c1ce13ec6c3334e1f0616afa12cda0aadfb33292fe663acbb64ea7d2a

SHA512
2179b578e6feb749355845394442d1e242457ac826b4e2ab178c8982bdc8a1567bfc6d51cd2512f6c00121a69ad0b518a4a7d9ef440be56624dfd38f1fa1dc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
af1b6854569dffbdccd6e7dae7432708

SHA1
e4fc7bc772d3aaf3090ab27e04440555d1413c27

SHA256
99b1d71c1ce13ec6c3334e1f0616afa12cda0aadfb33292fe663acbb64ea7d2a

SHA512
2179b578e6feb749355845394442d1e242457ac826b4e2ab178c8982bdc8a1567bfc6d51cd2512f6c00121a69ad0b518a4a7d9ef440be56624dfd38f1fa1dc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
af1b6854569dffbdccd6e7dae7432708

SHA1
e4fc7bc772d3aaf3090ab27e04440555d1413c27

SHA256
99b1d71c1ce13ec6c3334e1f0616afa12cda0aadfb33292fe663acbb64ea7d2a

SHA512
2179b578e6feb749355845394442d1e242457ac826b4e2ab178c8982bdc8a1567bfc6d51cd2512f6c00121a69ad0b518a4a7d9ef440be56624dfd38f1fa1dc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
af1b6854569dffbdccd6e7dae7432708

SHA1
e4fc7bc772d3aaf3090ab27e04440555d1413c27

SHA256
99b1d71c1ce13ec6c3334e1f0616afa12cda0aadfb33292fe663acbb64ea7d2a

SHA512
2179b578e6feb749355845394442d1e242457ac826b4e2ab178c8982bdc8a1567bfc6d51cd2512f6c00121a69ad0b518a4a7d9ef440be56624dfd38f1fa1dc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
af1b6854569dffbdccd6e7dae7432708

SHA1
e4fc7bc772d3aaf3090ab27e04440555d1413c27

SHA256
99b1d71c1ce13ec6c3334e1f0616afa12cda0aadfb33292fe663acbb64ea7d2a

SHA512
2179b578e6feb749355845394442d1e242457ac826b4e2ab178c8982bdc8a1567bfc6d51cd2512f6c00121a69ad0b518a4a7d9ef440be56624dfd38f1fa1dc1d

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1364-1139-0x00000000008C0000-0x00000000008F2000-memory.dmp

Filesize
200KB

Download
memory/1364-1140-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1956-172-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-188-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-192-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-194-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-196-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-198-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-199-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1956-200-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1956-201-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1956-202-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1956-204-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1956-184-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-180-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-190-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-178-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-176-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-186-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-174-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-182-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-171-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/1956-170-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1956-169-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1956-168-0x0000000000650000-0x000000000067D000-memory.dmp

Filesize
180KB

Download
memory/1956-167-0x0000000004D00000-0x00000000052A4000-memory.dmp

Filesize
5.6MB

Download
memory/3676-161-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/4108-218-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-236-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-238-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-240-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-243-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4108-242-0x0000000002150000-0x000000000219B000-memory.dmp

Filesize
300KB

Download
memory/4108-245-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4108-244-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-1118-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/4108-1119-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/4108-1120-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/4108-1121-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4108-1122-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/4108-1123-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/4108-1124-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/4108-1126-0x00000000064C0000-0x0000000006682000-memory.dmp

Filesize
1.8MB

Download
memory/4108-1127-0x0000000006690000-0x0000000006BBC000-memory.dmp

Filesize
5.2MB

Download
memory/4108-1128-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4108-1130-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4108-1129-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4108-1131-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4108-234-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-232-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-230-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-228-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-226-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-224-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-222-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-220-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-216-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-214-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-212-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-209-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-210-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/4108-1132-0x0000000007080000-0x00000000070F6000-memory.dmp

Filesize
472KB

Download
memory/4108-1133-0x0000000007100000-0x0000000007150000-memory.dmp

Filesize
320KB

Download