amadey | 70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7

Analysis

max time kernel
105s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exe
Size

1001KB
MD5

98ef2dd13e56aa3e7d1b8feddfdc5f09
SHA1

8b5464775f023912b5419adcaf02fe1653bb7e45
SHA256

70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7
SHA512

560928877addbf91e581727fd9f5254d63a600529650caa0d91139aaa9c0c8319c59b63fe5a94c4cdf0e30dd534383fa4693a859e942b39828c5765ebe277884
SSDEEP

24576:5yZl0Rx/rw+RYGcSt1g4IDSrkGlbewFCpMm:sn0jwyNgMkciwF

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz2911.exev8009Pp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v8009Pp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v8009Pp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v8009Pp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v8009Pp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2911.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v8009Pp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v8009Pp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2911.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1176-210-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-212-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-209-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-214-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-216-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-219-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-223-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-226-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-228-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-230-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-232-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-234-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-236-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-244-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-242-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-240-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-238-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/1176-246-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y24lb74.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y24lb74.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

zap6850.exezap1705.exezap8445.exetz2911.exev8009Pp.exew37xo43.exexXSqw01.exey24lb74.exeoneetx.exeoneetx.exe

pid	process
4704	zap6850.exe
4768	zap1705.exe
632	zap8445.exe
3152	tz2911.exe
3408	v8009Pp.exe
1176	w37xo43.exe
2268	xXSqw01.exe
3552	y24lb74.exe
3760	oneetx.exe
940	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3976 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3976	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v8009Pp.exetz2911.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v8009Pp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2911.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v8009Pp.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8445.exe70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exezap6850.exezap1705.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8445.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6850.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6850.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1705.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1705.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8445.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2648 3408 WerFault.exe v8009Pp.exe
1364 1176 WerFault.exe w37xo43.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4324 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz2911.exev8009Pp.exew37xo43.exexXSqw01.exe

pid process

3152 tz2911.exe
3152 tz2911.exe
3408 v8009Pp.exe
3408 v8009Pp.exe
1176 w37xo43.exe
1176 w37xo43.exe
2268 xXSqw01.exe
2268 xXSqw01.exe

pid	pid_target	process	target process
2648	3408	WerFault.exe	v8009Pp.exe
1364	1176	WerFault.exe	w37xo43.exe

pid	process
4324	schtasks.exe

pid	process
3152	tz2911.exe
3152	tz2911.exe
3408	v8009Pp.exe
3408	v8009Pp.exe
1176	w37xo43.exe
1176	w37xo43.exe
2268	xXSqw01.exe
2268	xXSqw01.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz2911.exev8009Pp.exew37xo43.exexXSqw01.exe

description	pid	process
Token: SeDebugPrivilege	3152	tz2911.exe
Token: SeDebugPrivilege	3408	v8009Pp.exe
Token: SeDebugPrivilege	1176	w37xo43.exe
Token: SeDebugPrivilege	2268	xXSqw01.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y24lb74.exe

pid process

3552 y24lb74.exe

pid	process
3552	y24lb74.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exezap6850.exezap1705.exezap8445.exey24lb74.exeoneetx.execmd.exe

description	pid	process	target process
PID 5088 wrote to memory of 4704	5088	70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exe	zap6850.exe
PID 5088 wrote to memory of 4704	5088	70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exe	zap6850.exe
PID 5088 wrote to memory of 4704	5088	70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exe	zap6850.exe
PID 4704 wrote to memory of 4768	4704	zap6850.exe	zap1705.exe
PID 4704 wrote to memory of 4768	4704	zap6850.exe	zap1705.exe
PID 4704 wrote to memory of 4768	4704	zap6850.exe	zap1705.exe
PID 4768 wrote to memory of 632	4768	zap1705.exe	zap8445.exe
PID 4768 wrote to memory of 632	4768	zap1705.exe	zap8445.exe
PID 4768 wrote to memory of 632	4768	zap1705.exe	zap8445.exe
PID 632 wrote to memory of 3152	632	zap8445.exe	tz2911.exe
PID 632 wrote to memory of 3152	632	zap8445.exe	tz2911.exe
PID 632 wrote to memory of 3408	632	zap8445.exe	v8009Pp.exe
PID 632 wrote to memory of 3408	632	zap8445.exe	v8009Pp.exe
PID 632 wrote to memory of 3408	632	zap8445.exe	v8009Pp.exe
PID 4768 wrote to memory of 1176	4768	zap1705.exe	w37xo43.exe
PID 4768 wrote to memory of 1176	4768	zap1705.exe	w37xo43.exe
PID 4768 wrote to memory of 1176	4768	zap1705.exe	w37xo43.exe
PID 4704 wrote to memory of 2268	4704	zap6850.exe	xXSqw01.exe
PID 4704 wrote to memory of 2268	4704	zap6850.exe	xXSqw01.exe
PID 4704 wrote to memory of 2268	4704	zap6850.exe	xXSqw01.exe
PID 5088 wrote to memory of 3552	5088	70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exe	y24lb74.exe
PID 5088 wrote to memory of 3552	5088	70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exe	y24lb74.exe
PID 5088 wrote to memory of 3552	5088	70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exe	y24lb74.exe
PID 3552 wrote to memory of 3760	3552	y24lb74.exe	oneetx.exe
PID 3552 wrote to memory of 3760	3552	y24lb74.exe	oneetx.exe
PID 3552 wrote to memory of 3760	3552	y24lb74.exe	oneetx.exe
PID 3760 wrote to memory of 4324	3760	oneetx.exe	schtasks.exe
PID 3760 wrote to memory of 4324	3760	oneetx.exe	schtasks.exe
PID 3760 wrote to memory of 4324	3760	oneetx.exe	schtasks.exe
PID 3760 wrote to memory of 448	3760	oneetx.exe	cmd.exe
PID 3760 wrote to memory of 448	3760	oneetx.exe	cmd.exe
PID 3760 wrote to memory of 448	3760	oneetx.exe	cmd.exe
PID 448 wrote to memory of 5112	448	cmd.exe	cmd.exe
PID 448 wrote to memory of 5112	448	cmd.exe	cmd.exe
PID 448 wrote to memory of 5112	448	cmd.exe	cmd.exe
PID 448 wrote to memory of 524	448	cmd.exe	cacls.exe
PID 448 wrote to memory of 524	448	cmd.exe	cacls.exe
PID 448 wrote to memory of 524	448	cmd.exe	cacls.exe
PID 448 wrote to memory of 392	448	cmd.exe	cacls.exe
PID 448 wrote to memory of 392	448	cmd.exe	cacls.exe
PID 448 wrote to memory of 392	448	cmd.exe	cacls.exe
PID 448 wrote to memory of 3764	448	cmd.exe	cmd.exe
PID 448 wrote to memory of 3764	448	cmd.exe	cmd.exe
PID 448 wrote to memory of 3764	448	cmd.exe	cmd.exe
PID 448 wrote to memory of 2652	448	cmd.exe	cacls.exe
PID 448 wrote to memory of 2652	448	cmd.exe	cacls.exe
PID 448 wrote to memory of 2652	448	cmd.exe	cacls.exe
PID 448 wrote to memory of 4760	448	cmd.exe	cacls.exe
PID 448 wrote to memory of 4760	448	cmd.exe	cacls.exe
PID 448 wrote to memory of 4760	448	cmd.exe	cacls.exe
PID 3760 wrote to memory of 3976	3760	oneetx.exe	rundll32.exe
PID 3760 wrote to memory of 3976	3760	oneetx.exe	rundll32.exe
PID 3760 wrote to memory of 3976	3760	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exe
"C:\Users\Admin\AppData\Local\Temp\70188e806b5689e2f33487a89dd040e564457a1cecd8037a8a10c2e3fca897d7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6850.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6850.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1705.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1705.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8445.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8445.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2911.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2911.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8009Pp.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8009Pp.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1080
6⤵
- Program crash
PID:2648

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w37xo43.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w37xo43.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1076
5⤵
- Program crash
PID:1364

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXSqw01.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXSqw01.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y24lb74.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y24lb74.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:4324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5112

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:524

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3764

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:2652

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:4760

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3408 -ip 3408
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1176 -ip 1176
1⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y24lb74.exe
Filesize
236KB

MD5
97cb7d479064028c558c89f014038018

SHA1
e6baef4fbcf0f8cf488d00c9a9674827b759d8b5

SHA256
026346404de28c03d8e7666ed509a8c38f5fc475796a84b923a07ae37569970b

SHA512
3317aec6ab0c4bca17b5ac6226120fc8aa217504379440e6c6a02aa44173a40ec1bb53fec49643794695ce554bc8ef4e905ed9d22bf2aa59434d3f26b8a745b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y24lb74.exe
Filesize
236KB

MD5
97cb7d479064028c558c89f014038018

SHA1
e6baef4fbcf0f8cf488d00c9a9674827b759d8b5

SHA256
026346404de28c03d8e7666ed509a8c38f5fc475796a84b923a07ae37569970b

SHA512
3317aec6ab0c4bca17b5ac6226120fc8aa217504379440e6c6a02aa44173a40ec1bb53fec49643794695ce554bc8ef4e905ed9d22bf2aa59434d3f26b8a745b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6850.exe
Filesize
816KB

MD5
5749b7a0f266f25aaaff31c2f2a7d415

SHA1
efd3ef61d26b4738a8377a7ee3d3a8d36c1d7db2

SHA256
d84c087bfb0b5ccc7b6ee5fcf61874f463aa6bc4bfa8ce7e4c46279c10832988

SHA512
3ac379607967b7871851d2818800769b56852c025bc2030a23c8a881a7046fa06935cf02f11eb1042d4aab1b93fd2d0ef1838b80e6898b85229eb268c960f91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6850.exe
Filesize
816KB

MD5
5749b7a0f266f25aaaff31c2f2a7d415

SHA1
efd3ef61d26b4738a8377a7ee3d3a8d36c1d7db2

SHA256
d84c087bfb0b5ccc7b6ee5fcf61874f463aa6bc4bfa8ce7e4c46279c10832988

SHA512
3ac379607967b7871851d2818800769b56852c025bc2030a23c8a881a7046fa06935cf02f11eb1042d4aab1b93fd2d0ef1838b80e6898b85229eb268c960f91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXSqw01.exe
Filesize
175KB

MD5
e3e57c7e09a3669cd483500d05146cba

SHA1
1f7987da2b928b2268cf2bf9ea007506e8dd7914

SHA256
1932c2d7079f685d38b263af0c980f36c49536208d318778e4e8a3ea65c6e71d

SHA512
f89cf476d4f2f153f141879100540808ecd65569f45a5a39c297dcc5f5a8e0ac07a350594e900fbd2c063d9ceb4d70fb25c04eea67ca1b7cd7e574623c32d0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXSqw01.exe
Filesize
175KB

MD5
e3e57c7e09a3669cd483500d05146cba

SHA1
1f7987da2b928b2268cf2bf9ea007506e8dd7914

SHA256
1932c2d7079f685d38b263af0c980f36c49536208d318778e4e8a3ea65c6e71d

SHA512
f89cf476d4f2f153f141879100540808ecd65569f45a5a39c297dcc5f5a8e0ac07a350594e900fbd2c063d9ceb4d70fb25c04eea67ca1b7cd7e574623c32d0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1705.exe
Filesize
674KB

MD5
6f851ff0fcd0115ea17a00120474a6b5

SHA1
985c9f9733ea9214c2268f90d1503dcc1f7f75c9

SHA256
dc6ba0904baa7c3e10d89aee88d2c1cd35043176a2f0a0f2e87bada59bb97ee3

SHA512
8ec961cb179ded8b19bbefab512b87dc70469f5f19ca810a9793c5afa56dd200298489eae5ce92b74cce07e7f38dd79203376c651c38ca2f72b8d94628b903b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1705.exe
Filesize
674KB

MD5
6f851ff0fcd0115ea17a00120474a6b5

SHA1
985c9f9733ea9214c2268f90d1503dcc1f7f75c9

SHA256
dc6ba0904baa7c3e10d89aee88d2c1cd35043176a2f0a0f2e87bada59bb97ee3

SHA512
8ec961cb179ded8b19bbefab512b87dc70469f5f19ca810a9793c5afa56dd200298489eae5ce92b74cce07e7f38dd79203376c651c38ca2f72b8d94628b903b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w37xo43.exe
Filesize
318KB

MD5
24ffc5fd865cedd72901a776e9c7a97b

SHA1
404c900ca4ec0b9c15dc2cd01fa66389804016d5

SHA256
da05da2aa02e81279effade6c552787b540628f743eb87bd725aa957b5083335

SHA512
8364c7c21523f14eed55d42ac38585435e94b59bdde9b01249a21ddc575bc6a45d28b5c60682022e84651b4cdf50008c690eee3601ebb6567052545a624448af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w37xo43.exe
Filesize
318KB

MD5
24ffc5fd865cedd72901a776e9c7a97b

SHA1
404c900ca4ec0b9c15dc2cd01fa66389804016d5

SHA256
da05da2aa02e81279effade6c552787b540628f743eb87bd725aa957b5083335

SHA512
8364c7c21523f14eed55d42ac38585435e94b59bdde9b01249a21ddc575bc6a45d28b5c60682022e84651b4cdf50008c690eee3601ebb6567052545a624448af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8445.exe
Filesize
334KB

MD5
f1e1bc95da56d4ca36c89b63c510cd59

SHA1
b90b713511bce19298c79a181c6bb6ff0a996693

SHA256
ee626aaf1714483dd2da52235921cc919abecbf08c486cab2fe91c92f7a1363f

SHA512
ff457afc50807de799350f5cdced33644a8e6555531c7aa91cbe57e0622423dfc2b30688ee46c343fb110e5cb82570744c699fe8350cf8e82a1e3610838060d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8445.exe
Filesize
334KB

MD5
f1e1bc95da56d4ca36c89b63c510cd59

SHA1
b90b713511bce19298c79a181c6bb6ff0a996693

SHA256
ee626aaf1714483dd2da52235921cc919abecbf08c486cab2fe91c92f7a1363f

SHA512
ff457afc50807de799350f5cdced33644a8e6555531c7aa91cbe57e0622423dfc2b30688ee46c343fb110e5cb82570744c699fe8350cf8e82a1e3610838060d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2911.exe
Filesize
11KB

MD5
ffa806fcde598c40288f7dedcf1f3687

SHA1
205b34112f10fb73813018f5e44c744386e1a96b

SHA256
83ee008e83c0ab56a531c5ff7c7aefb9dee303aa02e7e81c8cf407d4dee617a0

SHA512
6dbaaf246c6ea4246b5ca168e5effaa6fc9663668888250d232754ea48c14f6ba95c43e8b49480f46ba0d614b13a971a308b6a109b684c02b6d529af66769c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2911.exe
Filesize
11KB

MD5
ffa806fcde598c40288f7dedcf1f3687

SHA1
205b34112f10fb73813018f5e44c744386e1a96b

SHA256
83ee008e83c0ab56a531c5ff7c7aefb9dee303aa02e7e81c8cf407d4dee617a0

SHA512
6dbaaf246c6ea4246b5ca168e5effaa6fc9663668888250d232754ea48c14f6ba95c43e8b49480f46ba0d614b13a971a308b6a109b684c02b6d529af66769c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8009Pp.exe
Filesize
260KB

MD5
64556e2f4291e84b8601f8d1d28fc8d7

SHA1
afada1a1b7383c1606a7f131d453af8f712fe710

SHA256
8b3a62375f5204ba0b54533e2a57543ebee83af46e9aac41cf3a657a9dafcf54

SHA512
56c68fb8e938e5f364c27a752afffff7d93016a2c5c9a2fc2d350310d6f8ccdcc1e1204a6e8e51ff9085d0e945943b0e66063b3a0d5385478d0699727abf736c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8009Pp.exe
Filesize
260KB

MD5
64556e2f4291e84b8601f8d1d28fc8d7

SHA1
afada1a1b7383c1606a7f131d453af8f712fe710

SHA256
8b3a62375f5204ba0b54533e2a57543ebee83af46e9aac41cf3a657a9dafcf54

SHA512
56c68fb8e938e5f364c27a752afffff7d93016a2c5c9a2fc2d350310d6f8ccdcc1e1204a6e8e51ff9085d0e945943b0e66063b3a0d5385478d0699727abf736c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
97cb7d479064028c558c89f014038018

SHA1
e6baef4fbcf0f8cf488d00c9a9674827b759d8b5

SHA256
026346404de28c03d8e7666ed509a8c38f5fc475796a84b923a07ae37569970b

SHA512
3317aec6ab0c4bca17b5ac6226120fc8aa217504379440e6c6a02aa44173a40ec1bb53fec49643794695ce554bc8ef4e905ed9d22bf2aa59434d3f26b8a745b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
97cb7d479064028c558c89f014038018

SHA1
e6baef4fbcf0f8cf488d00c9a9674827b759d8b5

SHA256
026346404de28c03d8e7666ed509a8c38f5fc475796a84b923a07ae37569970b

SHA512
3317aec6ab0c4bca17b5ac6226120fc8aa217504379440e6c6a02aa44173a40ec1bb53fec49643794695ce554bc8ef4e905ed9d22bf2aa59434d3f26b8a745b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
97cb7d479064028c558c89f014038018

SHA1
e6baef4fbcf0f8cf488d00c9a9674827b759d8b5

SHA256
026346404de28c03d8e7666ed509a8c38f5fc475796a84b923a07ae37569970b

SHA512
3317aec6ab0c4bca17b5ac6226120fc8aa217504379440e6c6a02aa44173a40ec1bb53fec49643794695ce554bc8ef4e905ed9d22bf2aa59434d3f26b8a745b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
97cb7d479064028c558c89f014038018

SHA1
e6baef4fbcf0f8cf488d00c9a9674827b759d8b5

SHA256
026346404de28c03d8e7666ed509a8c38f5fc475796a84b923a07ae37569970b

SHA512
3317aec6ab0c4bca17b5ac6226120fc8aa217504379440e6c6a02aa44173a40ec1bb53fec49643794695ce554bc8ef4e905ed9d22bf2aa59434d3f26b8a745b1

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1176-1127-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1176-242-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-1135-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1176-1133-0x0000000006AA0000-0x0000000006FCC000-memory.dmp

Filesize
5.2MB

Download
memory/1176-1132-0x00000000066D0000-0x0000000006892000-memory.dmp

Filesize
1.8MB

Download
memory/1176-1131-0x0000000006640000-0x0000000006690000-memory.dmp

Filesize
320KB

Download
memory/1176-1130-0x00000000065B0000-0x0000000006626000-memory.dmp

Filesize
472KB

Download
memory/1176-1128-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1176-1129-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1176-1125-0x00000000063A0000-0x0000000006432000-memory.dmp

Filesize
584KB

Download
memory/1176-1124-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/1176-1123-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1176-1122-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/1176-210-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-212-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-209-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-214-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-216-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-219-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-218-0x0000000002120000-0x000000000216B000-memory.dmp

Filesize
300KB

Download
memory/1176-220-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1176-223-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-222-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1176-224-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1176-226-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-228-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-230-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-232-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-234-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-236-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-244-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-1121-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/1176-240-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-238-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-246-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/1176-1119-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/1176-1120-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/2268-1140-0x0000000000F30000-0x0000000000F62000-memory.dmp

Filesize
200KB

Download
memory/2268-1141-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3152-161-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/3408-192-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-180-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-184-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-201-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3408-200-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3408-199-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3408-198-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-196-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-194-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-190-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-182-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-202-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3408-204-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3408-188-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-178-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-176-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-174-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-172-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-171-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3408-169-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3408-170-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3408-168-0x0000000000730000-0x000000000075D000-memory.dmp

Filesize
180KB

Download
memory/3408-167-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/3408-186-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download