amadey | 11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6

Analysis

max time kernel
151s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exe
Size

1000KB
MD5

9c9e34b075f39953c730377dcbd4639a
SHA1

6b0ae51fcd923ee0ee71a77a13849c6f52dfb85b
SHA256

11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6
SHA512

2812200da380ba2243c91e73f4632f6403deccc5636a34e43ff42d543e96b42846d1212e4d2b3d303c3ff8dacd4e240f0b6648f40e78f34ab225254f168d5d2a
SSDEEP

24576:GyPsKC1I2a4qXk27bCAcJieo1LpQBUe7Udw:VG9mPCAck9097k

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz2010.exev0122cS.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0122cS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0122cS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0122cS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0122cS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0122cS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0122cS.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2204-210-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-211-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-213-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-215-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-217-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-219-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-221-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-223-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-225-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-227-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-229-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-231-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-233-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-235-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-237-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-239-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-241-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-243-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/2204-1131-0x0000000004B30000-0x0000000004B40000-memory.dmp	family_redline
behavioral1/memory/2204-1132-0x0000000004B30000-0x0000000004B40000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y53uo93.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y53uo93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap5207.exezap6537.exezap4801.exetz2010.exev0122cS.exew49hf34.exexweub23.exey53uo93.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
2124	zap5207.exe
4876	zap6537.exe
3916	zap4801.exe
1868	tz2010.exe
3952	v0122cS.exe
2204	w49hf34.exe
4668	xweub23.exe
3772	y53uo93.exe
1868	oneetx.exe
3292	oneetx.exe
3956	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1680 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1680	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz2010.exev0122cS.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0122cS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0122cS.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap4801.exe11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exezap5207.exezap6537.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap4801.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5207.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap5207.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6537.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap6537.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4801.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3288 3952 WerFault.exe v0122cS.exe
4808 2204 WerFault.exe w49hf34.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

900 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz2010.exev0122cS.exew49hf34.exexweub23.exe

pid process

1868 tz2010.exe
1868 tz2010.exe
3952 v0122cS.exe
3952 v0122cS.exe
2204 w49hf34.exe
2204 w49hf34.exe
4668 xweub23.exe
4668 xweub23.exe

pid	pid_target	process	target process
3288	3952	WerFault.exe	v0122cS.exe
4808	2204	WerFault.exe	w49hf34.exe

pid	process
900	schtasks.exe

pid	process
1868	tz2010.exe
1868	tz2010.exe
3952	v0122cS.exe
3952	v0122cS.exe
2204	w49hf34.exe
2204	w49hf34.exe
4668	xweub23.exe
4668	xweub23.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz2010.exev0122cS.exew49hf34.exexweub23.exe

description	pid	process
Token: SeDebugPrivilege	1868	tz2010.exe
Token: SeDebugPrivilege	3952	v0122cS.exe
Token: SeDebugPrivilege	2204	w49hf34.exe
Token: SeDebugPrivilege	4668	xweub23.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y53uo93.exe

pid process

3772 y53uo93.exe

pid	process
3772	y53uo93.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exezap5207.exezap6537.exezap4801.exey53uo93.exeoneetx.execmd.exe

description	pid	process	target process
PID 3532 wrote to memory of 2124	3532	11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exe	zap5207.exe
PID 3532 wrote to memory of 2124	3532	11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exe	zap5207.exe
PID 3532 wrote to memory of 2124	3532	11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exe	zap5207.exe
PID 2124 wrote to memory of 4876	2124	zap5207.exe	zap6537.exe
PID 2124 wrote to memory of 4876	2124	zap5207.exe	zap6537.exe
PID 2124 wrote to memory of 4876	2124	zap5207.exe	zap6537.exe
PID 4876 wrote to memory of 3916	4876	zap6537.exe	zap4801.exe
PID 4876 wrote to memory of 3916	4876	zap6537.exe	zap4801.exe
PID 4876 wrote to memory of 3916	4876	zap6537.exe	zap4801.exe
PID 3916 wrote to memory of 1868	3916	zap4801.exe	tz2010.exe
PID 3916 wrote to memory of 1868	3916	zap4801.exe	tz2010.exe
PID 3916 wrote to memory of 3952	3916	zap4801.exe	v0122cS.exe
PID 3916 wrote to memory of 3952	3916	zap4801.exe	v0122cS.exe
PID 3916 wrote to memory of 3952	3916	zap4801.exe	v0122cS.exe
PID 4876 wrote to memory of 2204	4876	zap6537.exe	w49hf34.exe
PID 4876 wrote to memory of 2204	4876	zap6537.exe	w49hf34.exe
PID 4876 wrote to memory of 2204	4876	zap6537.exe	w49hf34.exe
PID 2124 wrote to memory of 4668	2124	zap5207.exe	xweub23.exe
PID 2124 wrote to memory of 4668	2124	zap5207.exe	xweub23.exe
PID 2124 wrote to memory of 4668	2124	zap5207.exe	xweub23.exe
PID 3532 wrote to memory of 3772	3532	11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exe	y53uo93.exe
PID 3532 wrote to memory of 3772	3532	11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exe	y53uo93.exe
PID 3532 wrote to memory of 3772	3532	11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exe	y53uo93.exe
PID 3772 wrote to memory of 1868	3772	y53uo93.exe	oneetx.exe
PID 3772 wrote to memory of 1868	3772	y53uo93.exe	oneetx.exe
PID 3772 wrote to memory of 1868	3772	y53uo93.exe	oneetx.exe
PID 1868 wrote to memory of 900	1868	oneetx.exe	schtasks.exe
PID 1868 wrote to memory of 900	1868	oneetx.exe	schtasks.exe
PID 1868 wrote to memory of 900	1868	oneetx.exe	schtasks.exe
PID 1868 wrote to memory of 616	1868	oneetx.exe	cmd.exe
PID 1868 wrote to memory of 616	1868	oneetx.exe	cmd.exe
PID 1868 wrote to memory of 616	1868	oneetx.exe	cmd.exe
PID 616 wrote to memory of 4540	616	cmd.exe	cmd.exe
PID 616 wrote to memory of 4540	616	cmd.exe	cmd.exe
PID 616 wrote to memory of 4540	616	cmd.exe	cmd.exe
PID 616 wrote to memory of 3896	616	cmd.exe	cacls.exe
PID 616 wrote to memory of 3896	616	cmd.exe	cacls.exe
PID 616 wrote to memory of 3896	616	cmd.exe	cacls.exe
PID 616 wrote to memory of 400	616	cmd.exe	cacls.exe
PID 616 wrote to memory of 400	616	cmd.exe	cacls.exe
PID 616 wrote to memory of 400	616	cmd.exe	cacls.exe
PID 616 wrote to memory of 2356	616	cmd.exe	cmd.exe
PID 616 wrote to memory of 2356	616	cmd.exe	cmd.exe
PID 616 wrote to memory of 2356	616	cmd.exe	cmd.exe
PID 616 wrote to memory of 3688	616	cmd.exe	cacls.exe
PID 616 wrote to memory of 3688	616	cmd.exe	cacls.exe
PID 616 wrote to memory of 3688	616	cmd.exe	cacls.exe
PID 616 wrote to memory of 4444	616	cmd.exe	cacls.exe
PID 616 wrote to memory of 4444	616	cmd.exe	cacls.exe
PID 616 wrote to memory of 4444	616	cmd.exe	cacls.exe
PID 1868 wrote to memory of 1680	1868	oneetx.exe	rundll32.exe
PID 1868 wrote to memory of 1680	1868	oneetx.exe	rundll32.exe
PID 1868 wrote to memory of 1680	1868	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exe
"C:\Users\Admin\AppData\Local\Temp\11f2d11a5be62efff5d5a9e7a48f66dcb8d03f8397c13d8f25a8ae30f2ec79f6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5207.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5207.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6537.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6537.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4801.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4801.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2010.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2010.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0122cS.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0122cS.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1084
6⤵
- Program crash
PID:3288

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w49hf34.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w49hf34.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1920
5⤵
- Program crash
PID:4808

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xweub23.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xweub23.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53uo93.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53uo93.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4540

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:3896

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2356

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:3688

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:4444

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3952 -ip 3952
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2204 -ip 2204
1⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:3956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53uo93.exe
Filesize
236KB

MD5
5aaa4e433309ac00a76398c6fc02e7e7

SHA1
7e50267cb0fc680868a0488e51ec5a263179f220

SHA256
0770ba9fbe8a07881058790331bd74ea7a73eefa4a623ecbc7501102d0cc9146

SHA512
7c9a9fff76ee658ce19c760a42fc5431078d2c0a25b61d4ad2bf8e500d6c9cec6ca7af5a8963f710c5bf6ba867240b00030215962acc8a46a330137ad371022e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53uo93.exe
Filesize
236KB

MD5
5aaa4e433309ac00a76398c6fc02e7e7

SHA1
7e50267cb0fc680868a0488e51ec5a263179f220

SHA256
0770ba9fbe8a07881058790331bd74ea7a73eefa4a623ecbc7501102d0cc9146

SHA512
7c9a9fff76ee658ce19c760a42fc5431078d2c0a25b61d4ad2bf8e500d6c9cec6ca7af5a8963f710c5bf6ba867240b00030215962acc8a46a330137ad371022e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5207.exe
Filesize
815KB

MD5
b7a5699369762486b9bdfb67038afca2

SHA1
a59a623e7dff047a299e24fbe2b792387df9d2b0

SHA256
6b15a861a93c2b2acd1bf89211397db1c7c58da0cb42e439743edb8f03ff31f8

SHA512
f1dacac9fc63529551cda773ea2a837a4aa4a0d4cda93ded87b2b5958d29d768ae4bb1b212287eb972f6002d20aa3e1425a57c99d968eec2dea8b2f30cf8f4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5207.exe
Filesize
815KB

MD5
b7a5699369762486b9bdfb67038afca2

SHA1
a59a623e7dff047a299e24fbe2b792387df9d2b0

SHA256
6b15a861a93c2b2acd1bf89211397db1c7c58da0cb42e439743edb8f03ff31f8

SHA512
f1dacac9fc63529551cda773ea2a837a4aa4a0d4cda93ded87b2b5958d29d768ae4bb1b212287eb972f6002d20aa3e1425a57c99d968eec2dea8b2f30cf8f4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xweub23.exe
Filesize
175KB

MD5
42dbc229fbf8760f6b824fe225b0d5e5

SHA1
109c73c598f8365b36ff90ee407dbce3d9709a3d

SHA256
d113f36fe84dcc3b5226ddf1de4e87e9a2def3f4071df0a79d14ab7af77c7e91

SHA512
01ef7dd14ded810a8567432ae28079a1c8ccd88214819169b9386edbeb3b50756b03d99e3ef45aa040d814f4277fd67e9e4fd235aafbbe421374b06d561106bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xweub23.exe
Filesize
175KB

MD5
42dbc229fbf8760f6b824fe225b0d5e5

SHA1
109c73c598f8365b36ff90ee407dbce3d9709a3d

SHA256
d113f36fe84dcc3b5226ddf1de4e87e9a2def3f4071df0a79d14ab7af77c7e91

SHA512
01ef7dd14ded810a8567432ae28079a1c8ccd88214819169b9386edbeb3b50756b03d99e3ef45aa040d814f4277fd67e9e4fd235aafbbe421374b06d561106bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6537.exe
Filesize
674KB

MD5
981b63d61feac322c6b78ac9f8a4d736

SHA1
73d88bb440e8c7fc1c8c65a885e46b7638ad26ab

SHA256
6f7b4f9fcbc967a7ee8bd712ca422924b3bcce3ed617acf59988b6fffacfbc92

SHA512
8701f584b25dfb73f57194af4dbcc9cff68b0bd897a606736324a88b178d1f79fef3fa52fb3933501afba6aead2e4d9f5f4b7704d39ed7d9bfc208ad236d4d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6537.exe
Filesize
674KB

MD5
981b63d61feac322c6b78ac9f8a4d736

SHA1
73d88bb440e8c7fc1c8c65a885e46b7638ad26ab

SHA256
6f7b4f9fcbc967a7ee8bd712ca422924b3bcce3ed617acf59988b6fffacfbc92

SHA512
8701f584b25dfb73f57194af4dbcc9cff68b0bd897a606736324a88b178d1f79fef3fa52fb3933501afba6aead2e4d9f5f4b7704d39ed7d9bfc208ad236d4d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w49hf34.exe
Filesize
318KB

MD5
e28e4b4bd3c582ceafaf79b95cee8903

SHA1
1441714f018aea4a7ad61de6e453c9df42637443

SHA256
32ed5a0bab63d9ff567e1410b9174567c558054bf11647bf18dcb7a5421104c3

SHA512
b516e5d785377fc60cf4fe433865790e7151cb9a3d692df310b0f35a7b643807d6d6c56f2ea7f9087c3130570dd820ef815df85b4581485be8ba1bc97f16ef39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w49hf34.exe
Filesize
318KB

MD5
e28e4b4bd3c582ceafaf79b95cee8903

SHA1
1441714f018aea4a7ad61de6e453c9df42637443

SHA256
32ed5a0bab63d9ff567e1410b9174567c558054bf11647bf18dcb7a5421104c3

SHA512
b516e5d785377fc60cf4fe433865790e7151cb9a3d692df310b0f35a7b643807d6d6c56f2ea7f9087c3130570dd820ef815df85b4581485be8ba1bc97f16ef39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4801.exe
Filesize
333KB

MD5
78af4ae2d078de0bc270ad6881c04a4a

SHA1
8a51d07d61c3d0b70d8433875878fa352ea5cdb9

SHA256
e9ed0665400b9198d6423469f54fc3410d97b871ce8022797cbee25c84b0b14e

SHA512
2828f1e45fe3f3563c335489738c911da4cfa9158ee179d0930650aa02f589b884d465e4c53f79a40995f8e49e03f8efbe907107f537c4982959e8bfbc5faef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4801.exe
Filesize
333KB

MD5
78af4ae2d078de0bc270ad6881c04a4a

SHA1
8a51d07d61c3d0b70d8433875878fa352ea5cdb9

SHA256
e9ed0665400b9198d6423469f54fc3410d97b871ce8022797cbee25c84b0b14e

SHA512
2828f1e45fe3f3563c335489738c911da4cfa9158ee179d0930650aa02f589b884d465e4c53f79a40995f8e49e03f8efbe907107f537c4982959e8bfbc5faef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2010.exe
Filesize
11KB

MD5
4bc4e0ddb225d825a367190b805e766d

SHA1
7a4d3dd675d8dbc665cf37fd48a5611a83e58a6e

SHA256
c61b4d88f5e3bdaf0f87a221f096cb8f90d060075a0309797f7cea47b784ac61

SHA512
393b2b7ea60caec7869f9b38c09d346eba2476673dfbb2923784be81e41363524854ce87253a4720ddf07903751e1dc39f01b0ca5b708c0b438b83449c484c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2010.exe
Filesize
11KB

MD5
4bc4e0ddb225d825a367190b805e766d

SHA1
7a4d3dd675d8dbc665cf37fd48a5611a83e58a6e

SHA256
c61b4d88f5e3bdaf0f87a221f096cb8f90d060075a0309797f7cea47b784ac61

SHA512
393b2b7ea60caec7869f9b38c09d346eba2476673dfbb2923784be81e41363524854ce87253a4720ddf07903751e1dc39f01b0ca5b708c0b438b83449c484c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0122cS.exe
Filesize
259KB

MD5
e0eaa7270aae1ee305e0c08f84263e32

SHA1
84d880394de1fecdcc5d636617075a3dc5e6e226

SHA256
9b9b2d50dad5c10ae88eff082a4ddd4e36222e72b3d67211b1d3e00fcbea3e55

SHA512
8b3895129e2eee8778adedc300be4bc16d6bcd15bd1bfccd2ac1ac74f3fb13a3fb2ece91b1ff0a4ad9b6a7af0559234dd2ad6d9a36405741427182cd4c59898f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0122cS.exe
Filesize
259KB

MD5
e0eaa7270aae1ee305e0c08f84263e32

SHA1
84d880394de1fecdcc5d636617075a3dc5e6e226

SHA256
9b9b2d50dad5c10ae88eff082a4ddd4e36222e72b3d67211b1d3e00fcbea3e55

SHA512
8b3895129e2eee8778adedc300be4bc16d6bcd15bd1bfccd2ac1ac74f3fb13a3fb2ece91b1ff0a4ad9b6a7af0559234dd2ad6d9a36405741427182cd4c59898f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5aaa4e433309ac00a76398c6fc02e7e7

SHA1
7e50267cb0fc680868a0488e51ec5a263179f220

SHA256
0770ba9fbe8a07881058790331bd74ea7a73eefa4a623ecbc7501102d0cc9146

SHA512
7c9a9fff76ee658ce19c760a42fc5431078d2c0a25b61d4ad2bf8e500d6c9cec6ca7af5a8963f710c5bf6ba867240b00030215962acc8a46a330137ad371022e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5aaa4e433309ac00a76398c6fc02e7e7

SHA1
7e50267cb0fc680868a0488e51ec5a263179f220

SHA256
0770ba9fbe8a07881058790331bd74ea7a73eefa4a623ecbc7501102d0cc9146

SHA512
7c9a9fff76ee658ce19c760a42fc5431078d2c0a25b61d4ad2bf8e500d6c9cec6ca7af5a8963f710c5bf6ba867240b00030215962acc8a46a330137ad371022e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5aaa4e433309ac00a76398c6fc02e7e7

SHA1
7e50267cb0fc680868a0488e51ec5a263179f220

SHA256
0770ba9fbe8a07881058790331bd74ea7a73eefa4a623ecbc7501102d0cc9146

SHA512
7c9a9fff76ee658ce19c760a42fc5431078d2c0a25b61d4ad2bf8e500d6c9cec6ca7af5a8963f710c5bf6ba867240b00030215962acc8a46a330137ad371022e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5aaa4e433309ac00a76398c6fc02e7e7

SHA1
7e50267cb0fc680868a0488e51ec5a263179f220

SHA256
0770ba9fbe8a07881058790331bd74ea7a73eefa4a623ecbc7501102d0cc9146

SHA512
7c9a9fff76ee658ce19c760a42fc5431078d2c0a25b61d4ad2bf8e500d6c9cec6ca7af5a8963f710c5bf6ba867240b00030215962acc8a46a330137ad371022e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5aaa4e433309ac00a76398c6fc02e7e7

SHA1
7e50267cb0fc680868a0488e51ec5a263179f220

SHA256
0770ba9fbe8a07881058790331bd74ea7a73eefa4a623ecbc7501102d0cc9146

SHA512
7c9a9fff76ee658ce19c760a42fc5431078d2c0a25b61d4ad2bf8e500d6c9cec6ca7af5a8963f710c5bf6ba867240b00030215962acc8a46a330137ad371022e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1868-161-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/2204-1128-0x0000000006350000-0x00000000063C6000-memory.dmp

Filesize
472KB

Download
memory/2204-292-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/2204-1135-0x0000000006740000-0x0000000006C6C000-memory.dmp

Filesize
5.2MB

Download
memory/2204-1134-0x0000000006560000-0x0000000006722000-memory.dmp

Filesize
1.8MB

Download
memory/2204-1133-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/2204-1132-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/2204-1131-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/2204-1130-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/2204-1129-0x00000000063E0000-0x0000000006430000-memory.dmp

Filesize
320KB

Download
memory/2204-1126-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/2204-1125-0x0000000005BB0000-0x0000000005C42000-memory.dmp

Filesize
584KB

Download
memory/2204-210-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-211-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-213-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-215-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-217-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-219-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-221-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-223-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-225-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-227-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-229-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-231-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-233-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-235-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-237-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-239-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-241-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-243-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/2204-288-0x0000000002120000-0x000000000216B000-memory.dmp

Filesize
300KB

Download
memory/2204-290-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/2204-1124-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/2204-294-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/2204-1120-0x00000000050F0000-0x0000000005708000-memory.dmp

Filesize
6.1MB

Download
memory/2204-1121-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/2204-1122-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/2204-1123-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3952-185-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-193-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-195-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-169-0x0000000000620000-0x000000000064D000-memory.dmp

Filesize
180KB

Download
memory/3952-205-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3952-203-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3952-202-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3952-201-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3952-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3952-199-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-197-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-187-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-168-0x0000000004B40000-0x00000000050E4000-memory.dmp

Filesize
5.6MB

Download
memory/3952-191-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-189-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-183-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-181-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-179-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-177-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-175-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-173-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-172-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3952-171-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3952-170-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4668-1142-0x0000000005C60000-0x0000000005C70000-memory.dmp

Filesize
64KB

Download
memory/4668-1141-0x0000000000FF0000-0x0000000001022000-memory.dmp

Filesize
200KB

Download