amadey | 080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da

Analysis

max time kernel
148s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exe
Size

1000KB
MD5

00981e2ba3ee61f41f4d74450b44c105
SHA1

ac2f3a792339e52175f5fa93ab955278c072b2b2
SHA256

080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da
SHA512

ae693d1d944cecea467e9721f671e162bf4bed86f26bade85e33572f96699ff53e0cc4e0383d879fb611743a7d34e068098d0583b198479021b3a1887a550d8f
SSDEEP

24576:9ysuSaH4ARDxk5fzoFwEgBotKoGFUBxk+mRSfAtgi:YUafmfzoFMyKfFexkjRSf

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz6174.exev3129KR.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz6174.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3129KR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz6174.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz6174.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz6174.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3129KR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3129KR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3129KR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3129KR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz6174.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz6174.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v3129KR.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1792-209-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-210-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-212-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-214-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-216-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-218-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-220-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-222-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-224-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-226-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-228-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-230-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-232-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-234-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-236-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-238-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-240-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline
behavioral1/memory/1792-242-0x0000000004AA0000-0x0000000004ADF000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y47Pz99.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y47Pz99.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap5626.exezap5660.exezap2814.exetz6174.exev3129KR.exew25Wz59.exexroFO93.exey47Pz99.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
2220	zap5626.exe
2072	zap5660.exe
3232	zap2814.exe
1048	tz6174.exe
632	v3129KR.exe
1792	w25Wz59.exe
4436	xroFO93.exe
3612	y47Pz99.exe
3956	oneetx.exe
536	oneetx.exe
1216	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4192 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4192	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz6174.exev3129KR.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz6174.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3129KR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3129KR.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap5626.exezap5660.exezap2814.exe080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap5626.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5660.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap5660.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap2814.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5626.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2924 632 WerFault.exe v3129KR.exe
516 1792 WerFault.exe w25Wz59.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2384 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz6174.exev3129KR.exew25Wz59.exexroFO93.exe

pid process

1048 tz6174.exe
1048 tz6174.exe
632 v3129KR.exe
632 v3129KR.exe
1792 w25Wz59.exe
1792 w25Wz59.exe
4436 xroFO93.exe
4436 xroFO93.exe

pid	pid_target	process	target process
2924	632	WerFault.exe	v3129KR.exe
516	1792	WerFault.exe	w25Wz59.exe

pid	process
2384	schtasks.exe

pid	process
1048	tz6174.exe
1048	tz6174.exe
632	v3129KR.exe
632	v3129KR.exe
1792	w25Wz59.exe
1792	w25Wz59.exe
4436	xroFO93.exe
4436	xroFO93.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz6174.exev3129KR.exew25Wz59.exexroFO93.exe

description	pid	process
Token: SeDebugPrivilege	1048	tz6174.exe
Token: SeDebugPrivilege	632	v3129KR.exe
Token: SeDebugPrivilege	1792	w25Wz59.exe
Token: SeDebugPrivilege	4436	xroFO93.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y47Pz99.exe

pid process

3612 y47Pz99.exe

pid	process
3612	y47Pz99.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exezap5626.exezap5660.exezap2814.exey47Pz99.exeoneetx.execmd.exe

description	pid	process	target process
PID 2708 wrote to memory of 2220	2708	080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exe	zap5626.exe
PID 2708 wrote to memory of 2220	2708	080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exe	zap5626.exe
PID 2708 wrote to memory of 2220	2708	080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exe	zap5626.exe
PID 2220 wrote to memory of 2072	2220	zap5626.exe	zap5660.exe
PID 2220 wrote to memory of 2072	2220	zap5626.exe	zap5660.exe
PID 2220 wrote to memory of 2072	2220	zap5626.exe	zap5660.exe
PID 2072 wrote to memory of 3232	2072	zap5660.exe	zap2814.exe
PID 2072 wrote to memory of 3232	2072	zap5660.exe	zap2814.exe
PID 2072 wrote to memory of 3232	2072	zap5660.exe	zap2814.exe
PID 3232 wrote to memory of 1048	3232	zap2814.exe	tz6174.exe
PID 3232 wrote to memory of 1048	3232	zap2814.exe	tz6174.exe
PID 3232 wrote to memory of 632	3232	zap2814.exe	v3129KR.exe
PID 3232 wrote to memory of 632	3232	zap2814.exe	v3129KR.exe
PID 3232 wrote to memory of 632	3232	zap2814.exe	v3129KR.exe
PID 2072 wrote to memory of 1792	2072	zap5660.exe	w25Wz59.exe
PID 2072 wrote to memory of 1792	2072	zap5660.exe	w25Wz59.exe
PID 2072 wrote to memory of 1792	2072	zap5660.exe	w25Wz59.exe
PID 2220 wrote to memory of 4436	2220	zap5626.exe	xroFO93.exe
PID 2220 wrote to memory of 4436	2220	zap5626.exe	xroFO93.exe
PID 2220 wrote to memory of 4436	2220	zap5626.exe	xroFO93.exe
PID 2708 wrote to memory of 3612	2708	080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exe	y47Pz99.exe
PID 2708 wrote to memory of 3612	2708	080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exe	y47Pz99.exe
PID 2708 wrote to memory of 3612	2708	080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exe	y47Pz99.exe
PID 3612 wrote to memory of 3956	3612	y47Pz99.exe	oneetx.exe
PID 3612 wrote to memory of 3956	3612	y47Pz99.exe	oneetx.exe
PID 3612 wrote to memory of 3956	3612	y47Pz99.exe	oneetx.exe
PID 3956 wrote to memory of 2384	3956	oneetx.exe	schtasks.exe
PID 3956 wrote to memory of 2384	3956	oneetx.exe	schtasks.exe
PID 3956 wrote to memory of 2384	3956	oneetx.exe	schtasks.exe
PID 3956 wrote to memory of 4868	3956	oneetx.exe	cmd.exe
PID 3956 wrote to memory of 4868	3956	oneetx.exe	cmd.exe
PID 3956 wrote to memory of 4868	3956	oneetx.exe	cmd.exe
PID 4868 wrote to memory of 4272	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 4272	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 4272	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 4080	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 4080	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 4080	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 4500	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 4500	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 4500	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 1976	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 1976	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 1976	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 4280	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 4280	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 4280	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 960	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 960	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 960	4868	cmd.exe	cacls.exe
PID 3956 wrote to memory of 4192	3956	oneetx.exe	rundll32.exe
PID 3956 wrote to memory of 4192	3956	oneetx.exe	rundll32.exe
PID 3956 wrote to memory of 4192	3956	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exe
"C:\Users\Admin\AppData\Local\Temp\080aec461110a51969b6ef0c47df2b12fe5cfef63e1c4d51f9322bdcb93b70da.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5626.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5626.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5660.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5660.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2814.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2814.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6174.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6174.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3129KR.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3129KR.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 1080
6⤵
- Program crash
PID:2924

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w25Wz59.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w25Wz59.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1356
5⤵
- Program crash
PID:516

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xroFO93.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xroFO93.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47Pz99.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47Pz99.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4272

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:4080

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1976

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:4280

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:960

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 632 -ip 632
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1792 -ip 1792
1⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:536

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47Pz99.exe
Filesize
236KB

MD5
24afc68974ccdc81e2539a143b1045ab

SHA1
5bad87dd80f0d3fbbb5152ad901e178f9eca5435

SHA256
7c6c403cf605b3b7ec8716ca45fcf9da7b27369d73f3e0649d5b016f900e730f

SHA512
ed39a28dbbc838663084d7abd05b4ccb3a526db10672018e50dbd5b2ba6d23815d8440a0eed07a0840971955b4032d2ea9708dc442e941edae9691a04e47b9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47Pz99.exe
Filesize
236KB

MD5
24afc68974ccdc81e2539a143b1045ab

SHA1
5bad87dd80f0d3fbbb5152ad901e178f9eca5435

SHA256
7c6c403cf605b3b7ec8716ca45fcf9da7b27369d73f3e0649d5b016f900e730f

SHA512
ed39a28dbbc838663084d7abd05b4ccb3a526db10672018e50dbd5b2ba6d23815d8440a0eed07a0840971955b4032d2ea9708dc442e941edae9691a04e47b9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5626.exe
Filesize
817KB

MD5
bab0ba0ee89fdb4dd9939af24b3b1281

SHA1
5b84b5df5de1c62ff2408393a255b79c262eff26

SHA256
ca25ba25482de6f7a714f975bfe416403abdcd46ff7b9e6eab797b81eea627cd

SHA512
761fef378939476095e2cef0d0b9967b561326c3f3470ff6daf43f98872215169a49897bb15efab21b31c2d3cdc191b18407821bac3cf71a9d8398aaf5a18a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5626.exe
Filesize
817KB

MD5
bab0ba0ee89fdb4dd9939af24b3b1281

SHA1
5b84b5df5de1c62ff2408393a255b79c262eff26

SHA256
ca25ba25482de6f7a714f975bfe416403abdcd46ff7b9e6eab797b81eea627cd

SHA512
761fef378939476095e2cef0d0b9967b561326c3f3470ff6daf43f98872215169a49897bb15efab21b31c2d3cdc191b18407821bac3cf71a9d8398aaf5a18a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xroFO93.exe
Filesize
175KB

MD5
138a7f85bbd8a9847c909496afd17f71

SHA1
baea0f7f23f51fbc0ed2436cab0f1e6fedb3019f

SHA256
6f4654626f6882089488dda7988b11f2c8a3f66d6782a3e566374c0fe502706d

SHA512
6a71fd68157a50312dd80fa200abb80e7a0326df51444e3a06a8eff13404e11d40ec9a9f1feec5e262eb8f192bbebd62f9c95b08f1629bd5c259dc37d9b728fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xroFO93.exe
Filesize
175KB

MD5
138a7f85bbd8a9847c909496afd17f71

SHA1
baea0f7f23f51fbc0ed2436cab0f1e6fedb3019f

SHA256
6f4654626f6882089488dda7988b11f2c8a3f66d6782a3e566374c0fe502706d

SHA512
6a71fd68157a50312dd80fa200abb80e7a0326df51444e3a06a8eff13404e11d40ec9a9f1feec5e262eb8f192bbebd62f9c95b08f1629bd5c259dc37d9b728fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5660.exe
Filesize
675KB

MD5
d3925788ac87749dac065fbdda824abd

SHA1
dca447e73c053bf7c306a8423f58c38c7bfbb2cc

SHA256
072b22fc29d56e48ccd09389dc882e4e562e7048a9e88568c5543088f4586c4a

SHA512
996cf2c4a84703848472b4b19cdb1c47c481b1110146744712c5d754430822243bfc66b1f0ddc1cec5229e021e1c21438987b2681b8c9b1fae84ec42a016a165

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5660.exe
Filesize
675KB

MD5
d3925788ac87749dac065fbdda824abd

SHA1
dca447e73c053bf7c306a8423f58c38c7bfbb2cc

SHA256
072b22fc29d56e48ccd09389dc882e4e562e7048a9e88568c5543088f4586c4a

SHA512
996cf2c4a84703848472b4b19cdb1c47c481b1110146744712c5d754430822243bfc66b1f0ddc1cec5229e021e1c21438987b2681b8c9b1fae84ec42a016a165

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w25Wz59.exe
Filesize
318KB

MD5
82da227f32ea2c5da4a990f06b27f90c

SHA1
9bfa59e6b322cacaef975f20122b14a873fb3e18

SHA256
8575e7b86fefdd3b49439da2e1d2fe5f43d31784eb18c18dc5cf725a0a232ad9

SHA512
9bf2dc772a5046c16c5e6fdf90d21d41d17e828511d5f8e2bd1d6db04398ff2eda29e5fc5db81bd778ad90c7be2815cb9da7271c9431456386c57aaa6aee779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w25Wz59.exe
Filesize
318KB

MD5
82da227f32ea2c5da4a990f06b27f90c

SHA1
9bfa59e6b322cacaef975f20122b14a873fb3e18

SHA256
8575e7b86fefdd3b49439da2e1d2fe5f43d31784eb18c18dc5cf725a0a232ad9

SHA512
9bf2dc772a5046c16c5e6fdf90d21d41d17e828511d5f8e2bd1d6db04398ff2eda29e5fc5db81bd778ad90c7be2815cb9da7271c9431456386c57aaa6aee779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2814.exe
Filesize
333KB

MD5
6650802b6d722cb3c6e0871aa587459a

SHA1
9beaae241f88db1b21cabc38e368b8e5e141ccdd

SHA256
210419eda289be74bbf00aacdd5b04943bff1365e2edacad2e4784098502109f

SHA512
b053c3a79571d2f875e4c4757e46a136d455fa52388d283f45e3a732e456c63fa40fbdb74071b47eb82a608da33d204af9cf5fc326dc0e9266e645cbae29a017

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2814.exe
Filesize
333KB

MD5
6650802b6d722cb3c6e0871aa587459a

SHA1
9beaae241f88db1b21cabc38e368b8e5e141ccdd

SHA256
210419eda289be74bbf00aacdd5b04943bff1365e2edacad2e4784098502109f

SHA512
b053c3a79571d2f875e4c4757e46a136d455fa52388d283f45e3a732e456c63fa40fbdb74071b47eb82a608da33d204af9cf5fc326dc0e9266e645cbae29a017

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6174.exe
Filesize
11KB

MD5
20548fc1b56126563d558e5f562f0c2d

SHA1
f915dbec9b28f6ed736c5183407ed12638c6b26f

SHA256
a79da7ff353422d672ae4844b43f54845ce25c27e00676520f7feb33a33ac9c7

SHA512
ad9f5fe08947ec0db09c6019c37246227e31ae57b929c96a0822f5f85fd48f77cd849e398fc13b1c139143a06a45b24f018558f91c724bb4ac3bd6657d011ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6174.exe
Filesize
11KB

MD5
20548fc1b56126563d558e5f562f0c2d

SHA1
f915dbec9b28f6ed736c5183407ed12638c6b26f

SHA256
a79da7ff353422d672ae4844b43f54845ce25c27e00676520f7feb33a33ac9c7

SHA512
ad9f5fe08947ec0db09c6019c37246227e31ae57b929c96a0822f5f85fd48f77cd849e398fc13b1c139143a06a45b24f018558f91c724bb4ac3bd6657d011ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3129KR.exe
Filesize
259KB

MD5
e8421f57e7f97de1a7ec8be4d62786fe

SHA1
cbec39da9e69a62945c64ae9604a056f3d314dde

SHA256
189f585c9acdf69fa1c8722ebbca9f90032adebe3be203bf7c588d156f55be48

SHA512
b59cdacff1bcde5bacd411016efccca66637e4dd4aad5c17a9f0240ab568c0668871fa49a8ca87ed74081c1bf5c33e7e65fd9f5332c652ae3e2f8e05506feeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3129KR.exe
Filesize
259KB

MD5
e8421f57e7f97de1a7ec8be4d62786fe

SHA1
cbec39da9e69a62945c64ae9604a056f3d314dde

SHA256
189f585c9acdf69fa1c8722ebbca9f90032adebe3be203bf7c588d156f55be48

SHA512
b59cdacff1bcde5bacd411016efccca66637e4dd4aad5c17a9f0240ab568c0668871fa49a8ca87ed74081c1bf5c33e7e65fd9f5332c652ae3e2f8e05506feeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
24afc68974ccdc81e2539a143b1045ab

SHA1
5bad87dd80f0d3fbbb5152ad901e178f9eca5435

SHA256
7c6c403cf605b3b7ec8716ca45fcf9da7b27369d73f3e0649d5b016f900e730f

SHA512
ed39a28dbbc838663084d7abd05b4ccb3a526db10672018e50dbd5b2ba6d23815d8440a0eed07a0840971955b4032d2ea9708dc442e941edae9691a04e47b9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
24afc68974ccdc81e2539a143b1045ab

SHA1
5bad87dd80f0d3fbbb5152ad901e178f9eca5435

SHA256
7c6c403cf605b3b7ec8716ca45fcf9da7b27369d73f3e0649d5b016f900e730f

SHA512
ed39a28dbbc838663084d7abd05b4ccb3a526db10672018e50dbd5b2ba6d23815d8440a0eed07a0840971955b4032d2ea9708dc442e941edae9691a04e47b9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
24afc68974ccdc81e2539a143b1045ab

SHA1
5bad87dd80f0d3fbbb5152ad901e178f9eca5435

SHA256
7c6c403cf605b3b7ec8716ca45fcf9da7b27369d73f3e0649d5b016f900e730f

SHA512
ed39a28dbbc838663084d7abd05b4ccb3a526db10672018e50dbd5b2ba6d23815d8440a0eed07a0840971955b4032d2ea9708dc442e941edae9691a04e47b9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
24afc68974ccdc81e2539a143b1045ab

SHA1
5bad87dd80f0d3fbbb5152ad901e178f9eca5435

SHA256
7c6c403cf605b3b7ec8716ca45fcf9da7b27369d73f3e0649d5b016f900e730f

SHA512
ed39a28dbbc838663084d7abd05b4ccb3a526db10672018e50dbd5b2ba6d23815d8440a0eed07a0840971955b4032d2ea9708dc442e941edae9691a04e47b9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
24afc68974ccdc81e2539a143b1045ab

SHA1
5bad87dd80f0d3fbbb5152ad901e178f9eca5435

SHA256
7c6c403cf605b3b7ec8716ca45fcf9da7b27369d73f3e0649d5b016f900e730f

SHA512
ed39a28dbbc838663084d7abd05b4ccb3a526db10672018e50dbd5b2ba6d23815d8440a0eed07a0840971955b4032d2ea9708dc442e941edae9691a04e47b9ef

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/632-181-0x0000000002100000-0x000000000212D000-memory.dmp

Filesize
180KB

Download
memory/632-175-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-187-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/632-189-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-191-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-193-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-195-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-197-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-199-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/632-201-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/632-202-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/632-204-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/632-167-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/632-183-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/632-185-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/632-182-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-179-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-177-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-186-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-173-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-171-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-169-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/632-168-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/1048-161-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

Filesize
40KB

Download
memory/1792-218-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-1128-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/1792-234-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-236-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-238-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-240-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-242-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-473-0x00000000007A0000-0x00000000007EB000-memory.dmp

Filesize
300KB

Download
memory/1792-475-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/1792-479-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/1792-477-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/1792-1119-0x0000000005120000-0x0000000005738000-memory.dmp

Filesize
6.1MB

Download
memory/1792-1120-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/1792-1121-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/1792-1122-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/1792-1123-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/1792-1125-0x0000000005BB0000-0x0000000005C42000-memory.dmp

Filesize
584KB

Download
memory/1792-1126-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/1792-1127-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/1792-232-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-1129-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/1792-1130-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/1792-1131-0x0000000006450000-0x00000000064C6000-memory.dmp

Filesize
472KB

Download
memory/1792-1132-0x00000000064E0000-0x0000000006530000-memory.dmp

Filesize
320KB

Download
memory/1792-1133-0x00000000066A0000-0x0000000006862000-memory.dmp

Filesize
1.8MB

Download
memory/1792-1134-0x0000000006880000-0x0000000006DAC000-memory.dmp

Filesize
5.2MB

Download
memory/1792-209-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-210-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-230-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-228-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-226-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-224-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-222-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-220-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-216-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-214-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/1792-212-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

Filesize
252KB

Download
memory/4436-1141-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4436-1140-0x0000000000880000-0x00000000008B2000-memory.dmp

Filesize
200KB

Download