amadey | 61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df

Analysis

max time kernel
148s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exe
Size

1001KB
MD5

32c32b1c15002925d8808f48a68eb48c
SHA1

b3094cfec1bd739d66937b200dfdd09ad6a2080d
SHA256

61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df
SHA512

7a6043f9b42890ef165cce3d971aae3118d5f667bc165092ea9497506dc696f86cccc4835d366a8096be3246ebc5c050d7a25e8d03c2139accce29922a814c7a
SSDEEP

24576:9y0bjFX8DZAmxDNIMlIGRXiPZ+bnjpSbOHyFIPyY:Y0bj92WmxDNIq1Rih+bn1SCHyFQy

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz8691.exev2340Xv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v2340Xv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v2340Xv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v2340Xv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v2340Xv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8691.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v2340Xv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v2340Xv.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1408-210-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-211-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-213-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-215-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-217-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-219-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-221-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-225-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-223-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-227-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-231-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-234-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-239-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-237-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-241-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-243-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-245-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-247-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/1408-1132-0x0000000004CE0000-0x0000000004CF0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y12bL89.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y12bL89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap7954.exezap5638.exezap3088.exetz8691.exev2340Xv.exew84Zn91.exexHtMJ24.exey12bL89.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
5084	zap7954.exe
3612	zap5638.exe
4036	zap3088.exe
4244	tz8691.exe
3732	v2340Xv.exe
1408	w84Zn91.exe
528	xHtMJ24.exe
3224	y12bL89.exe
1796	oneetx.exe
1760	oneetx.exe
2104	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1496 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1496	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v2340Xv.exetz8691.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v2340Xv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v2340Xv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8691.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap7954.exezap5638.exezap3088.exe61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7954.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap5638.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3088.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7954.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2152 3732 WerFault.exe v2340Xv.exe
4864 1408 WerFault.exe w84Zn91.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3760 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz8691.exev2340Xv.exew84Zn91.exexHtMJ24.exe

pid process

4244 tz8691.exe
4244 tz8691.exe
3732 v2340Xv.exe
3732 v2340Xv.exe
1408 w84Zn91.exe
1408 w84Zn91.exe
528 xHtMJ24.exe
528 xHtMJ24.exe

pid	pid_target	process	target process
2152	3732	WerFault.exe	v2340Xv.exe
4864	1408	WerFault.exe	w84Zn91.exe

pid	process
3760	schtasks.exe

pid	process
4244	tz8691.exe
4244	tz8691.exe
3732	v2340Xv.exe
3732	v2340Xv.exe
1408	w84Zn91.exe
1408	w84Zn91.exe
528	xHtMJ24.exe
528	xHtMJ24.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz8691.exev2340Xv.exew84Zn91.exexHtMJ24.exe

description	pid	process
Token: SeDebugPrivilege	4244	tz8691.exe
Token: SeDebugPrivilege	3732	v2340Xv.exe
Token: SeDebugPrivilege	1408	w84Zn91.exe
Token: SeDebugPrivilege	528	xHtMJ24.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y12bL89.exe

pid process

3224 y12bL89.exe

pid	process
3224	y12bL89.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exezap7954.exezap5638.exezap3088.exey12bL89.exeoneetx.execmd.exe

description	pid	process	target process
PID 748 wrote to memory of 5084	748	61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exe	zap7954.exe
PID 748 wrote to memory of 5084	748	61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exe	zap7954.exe
PID 748 wrote to memory of 5084	748	61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exe	zap7954.exe
PID 5084 wrote to memory of 3612	5084	zap7954.exe	zap5638.exe
PID 5084 wrote to memory of 3612	5084	zap7954.exe	zap5638.exe
PID 5084 wrote to memory of 3612	5084	zap7954.exe	zap5638.exe
PID 3612 wrote to memory of 4036	3612	zap5638.exe	zap3088.exe
PID 3612 wrote to memory of 4036	3612	zap5638.exe	zap3088.exe
PID 3612 wrote to memory of 4036	3612	zap5638.exe	zap3088.exe
PID 4036 wrote to memory of 4244	4036	zap3088.exe	tz8691.exe
PID 4036 wrote to memory of 4244	4036	zap3088.exe	tz8691.exe
PID 4036 wrote to memory of 3732	4036	zap3088.exe	v2340Xv.exe
PID 4036 wrote to memory of 3732	4036	zap3088.exe	v2340Xv.exe
PID 4036 wrote to memory of 3732	4036	zap3088.exe	v2340Xv.exe
PID 3612 wrote to memory of 1408	3612	zap5638.exe	w84Zn91.exe
PID 3612 wrote to memory of 1408	3612	zap5638.exe	w84Zn91.exe
PID 3612 wrote to memory of 1408	3612	zap5638.exe	w84Zn91.exe
PID 5084 wrote to memory of 528	5084	zap7954.exe	xHtMJ24.exe
PID 5084 wrote to memory of 528	5084	zap7954.exe	xHtMJ24.exe
PID 5084 wrote to memory of 528	5084	zap7954.exe	xHtMJ24.exe
PID 748 wrote to memory of 3224	748	61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exe	y12bL89.exe
PID 748 wrote to memory of 3224	748	61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exe	y12bL89.exe
PID 748 wrote to memory of 3224	748	61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exe	y12bL89.exe
PID 3224 wrote to memory of 1796	3224	y12bL89.exe	oneetx.exe
PID 3224 wrote to memory of 1796	3224	y12bL89.exe	oneetx.exe
PID 3224 wrote to memory of 1796	3224	y12bL89.exe	oneetx.exe
PID 1796 wrote to memory of 3760	1796	oneetx.exe	schtasks.exe
PID 1796 wrote to memory of 3760	1796	oneetx.exe	schtasks.exe
PID 1796 wrote to memory of 3760	1796	oneetx.exe	schtasks.exe
PID 1796 wrote to memory of 4836	1796	oneetx.exe	cmd.exe
PID 1796 wrote to memory of 4836	1796	oneetx.exe	cmd.exe
PID 1796 wrote to memory of 4836	1796	oneetx.exe	cmd.exe
PID 4836 wrote to memory of 4628	4836	cmd.exe	cmd.exe
PID 4836 wrote to memory of 4628	4836	cmd.exe	cmd.exe
PID 4836 wrote to memory of 4628	4836	cmd.exe	cmd.exe
PID 4836 wrote to memory of 1388	4836	cmd.exe	cacls.exe
PID 4836 wrote to memory of 1388	4836	cmd.exe	cacls.exe
PID 4836 wrote to memory of 1388	4836	cmd.exe	cacls.exe
PID 4836 wrote to memory of 3948	4836	cmd.exe	cacls.exe
PID 4836 wrote to memory of 3948	4836	cmd.exe	cacls.exe
PID 4836 wrote to memory of 3948	4836	cmd.exe	cacls.exe
PID 4836 wrote to memory of 2796	4836	cmd.exe	cmd.exe
PID 4836 wrote to memory of 2796	4836	cmd.exe	cmd.exe
PID 4836 wrote to memory of 2796	4836	cmd.exe	cmd.exe
PID 4836 wrote to memory of 2032	4836	cmd.exe	cacls.exe
PID 4836 wrote to memory of 2032	4836	cmd.exe	cacls.exe
PID 4836 wrote to memory of 2032	4836	cmd.exe	cacls.exe
PID 4836 wrote to memory of 4336	4836	cmd.exe	cacls.exe
PID 4836 wrote to memory of 4336	4836	cmd.exe	cacls.exe
PID 4836 wrote to memory of 4336	4836	cmd.exe	cacls.exe
PID 1796 wrote to memory of 1496	1796	oneetx.exe	rundll32.exe
PID 1796 wrote to memory of 1496	1796	oneetx.exe	rundll32.exe
PID 1796 wrote to memory of 1496	1796	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exe
"C:\Users\Admin\AppData\Local\Temp\61f8f22aa0fdf15fa565de3ef9d37d3740ff30f2588f6d9121b407dea6f103df.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7954.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7954.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5638.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5638.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3088.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3088.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8691.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8691.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2340Xv.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2340Xv.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1084
6⤵
- Program crash
PID:2152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84Zn91.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84Zn91.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1756
5⤵
- Program crash
PID:4864

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHtMJ24.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHtMJ24.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y12bL89.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y12bL89.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:3760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4628

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:1388

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2796

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:2032

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:4336

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3732 -ip 3732
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1408 -ip 1408
1⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y12bL89.exe
Filesize
236KB

MD5
f23e888ad25113e07450076967a4be5b

SHA1
bbde308811d8ec266fadc47a691a031b40fba009

SHA256
17364dd4397cb02823f726d7427d6dcd31e8595e7dd7a8275bb1d3e7089c37d5

SHA512
ddb95e9ed2a49ec63bda1d4c53d6d783e429ece732ee27dd6f7c3f4d77bf8c0941e829a9dbb14cd9f73d4ca86b65be4405521d6128796a042063d8b00cc16259

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y12bL89.exe
Filesize
236KB

MD5
f23e888ad25113e07450076967a4be5b

SHA1
bbde308811d8ec266fadc47a691a031b40fba009

SHA256
17364dd4397cb02823f726d7427d6dcd31e8595e7dd7a8275bb1d3e7089c37d5

SHA512
ddb95e9ed2a49ec63bda1d4c53d6d783e429ece732ee27dd6f7c3f4d77bf8c0941e829a9dbb14cd9f73d4ca86b65be4405521d6128796a042063d8b00cc16259

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7954.exe
Filesize
817KB

MD5
e5d242af652575962e9d2a9c0bf4d370

SHA1
1126d03f06424b4aca35e31d5f252195dd997e82

SHA256
4fd5980b34f25e40937d62f71bb420fe5b55c184814cf5bc88960018f40fa317

SHA512
1a3dd4ed1f4f5ab535349c471b171a5562ba57648a640b076addb33bf4e3f1e604ce19ee10782b47be7f2f8725cde70a85c105d17585ea9ec507cce087e7a1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7954.exe
Filesize
817KB

MD5
e5d242af652575962e9d2a9c0bf4d370

SHA1
1126d03f06424b4aca35e31d5f252195dd997e82

SHA256
4fd5980b34f25e40937d62f71bb420fe5b55c184814cf5bc88960018f40fa317

SHA512
1a3dd4ed1f4f5ab535349c471b171a5562ba57648a640b076addb33bf4e3f1e604ce19ee10782b47be7f2f8725cde70a85c105d17585ea9ec507cce087e7a1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHtMJ24.exe
Filesize
175KB

MD5
6a9e7642f0fb649308bd832b53d7b042

SHA1
68af880fdde510ef0e8ac306b5d93d1c206132bb

SHA256
9f55568d16cf0f0ad92370da764d5bce8be2149de7fd4a84afd3a1e67f7033e7

SHA512
45dfa01eba5d763a45480ec9c76707b3329930edb54016472fe77953c1ad775450e5343bc30163d867cc7a3293b49f08495cf151af8830e2dcf1ca6c26efb5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHtMJ24.exe
Filesize
175KB

MD5
6a9e7642f0fb649308bd832b53d7b042

SHA1
68af880fdde510ef0e8ac306b5d93d1c206132bb

SHA256
9f55568d16cf0f0ad92370da764d5bce8be2149de7fd4a84afd3a1e67f7033e7

SHA512
45dfa01eba5d763a45480ec9c76707b3329930edb54016472fe77953c1ad775450e5343bc30163d867cc7a3293b49f08495cf151af8830e2dcf1ca6c26efb5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5638.exe
Filesize
675KB

MD5
836a021712409a12f43aeb823fee07d8

SHA1
d40c7924356287a477151c4786f73a8d6777e88e

SHA256
27845098f7092d999aa9abfd1923b8b0f24eaa1837cdf0615ead5805bc354209

SHA512
ee08dcd5dee45efbdb0e55e547bbfe169b46bb629ba6b598449d303d6418067d86e3a704bc82af868fee8e86f5d7e9ed7c1e6d0e75dc4d3346fc7a946e8554c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5638.exe
Filesize
675KB

MD5
836a021712409a12f43aeb823fee07d8

SHA1
d40c7924356287a477151c4786f73a8d6777e88e

SHA256
27845098f7092d999aa9abfd1923b8b0f24eaa1837cdf0615ead5805bc354209

SHA512
ee08dcd5dee45efbdb0e55e547bbfe169b46bb629ba6b598449d303d6418067d86e3a704bc82af868fee8e86f5d7e9ed7c1e6d0e75dc4d3346fc7a946e8554c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84Zn91.exe
Filesize
318KB

MD5
37cd839d9f63da7fdd6340fdb7820355

SHA1
9ecba3a181f3d6b03be7e7df4313186decf503d3

SHA256
09c10f7ca46b46f7a3dd868f2ebf9966b525d1f156bc7e919c7c497816c12fca

SHA512
e247697ecc4ed4ed522f503f1672ccd81b957f53030eb5af27fd50bdb461f38bef0f889f44ab7817ccfd8e828f3534a4ecb556cbd14d1ca823bd385f351cba7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84Zn91.exe
Filesize
318KB

MD5
37cd839d9f63da7fdd6340fdb7820355

SHA1
9ecba3a181f3d6b03be7e7df4313186decf503d3

SHA256
09c10f7ca46b46f7a3dd868f2ebf9966b525d1f156bc7e919c7c497816c12fca

SHA512
e247697ecc4ed4ed522f503f1672ccd81b957f53030eb5af27fd50bdb461f38bef0f889f44ab7817ccfd8e828f3534a4ecb556cbd14d1ca823bd385f351cba7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3088.exe
Filesize
334KB

MD5
1943347c421febe1d7197fe56c0e106c

SHA1
4128176572e3fbcbf8bdadaec18d796f0ff76502

SHA256
9057677ad8a2210007cf135d26288aab3bafcee836410c060fb389294f18bfca

SHA512
186c4b7a869e56b90acdd6dfce631f22172708fda2d84f8ecff7402f6af1ac02aeac7f0ac54d25d46921c0a862af3eba5c66cc154dd2bc671de13ba4afad0e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3088.exe
Filesize
334KB

MD5
1943347c421febe1d7197fe56c0e106c

SHA1
4128176572e3fbcbf8bdadaec18d796f0ff76502

SHA256
9057677ad8a2210007cf135d26288aab3bafcee836410c060fb389294f18bfca

SHA512
186c4b7a869e56b90acdd6dfce631f22172708fda2d84f8ecff7402f6af1ac02aeac7f0ac54d25d46921c0a862af3eba5c66cc154dd2bc671de13ba4afad0e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8691.exe
Filesize
11KB

MD5
04f3c63ce81835b2054683bcfc3dde69

SHA1
cd1f5d0a2a905ac46c556dd1157ae6bfddfdae4e

SHA256
7539469ced6e51a6dad4db72bc209948028e863dbda0a33910f700056964a6f9

SHA512
0593f081909f7fd614dc073404527c64341929a90bf93fbdef9758100d99260eb94c8e521e70cae42cd9ee0921e93860588ab8e8a9f88c3cb819567f215277ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8691.exe
Filesize
11KB

MD5
04f3c63ce81835b2054683bcfc3dde69

SHA1
cd1f5d0a2a905ac46c556dd1157ae6bfddfdae4e

SHA256
7539469ced6e51a6dad4db72bc209948028e863dbda0a33910f700056964a6f9

SHA512
0593f081909f7fd614dc073404527c64341929a90bf93fbdef9758100d99260eb94c8e521e70cae42cd9ee0921e93860588ab8e8a9f88c3cb819567f215277ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2340Xv.exe
Filesize
260KB

MD5
ab0a28761f613c9269d1d532edd42d73

SHA1
8b6c58f4e6a2c06be5ffd94f4842f767ef85541e

SHA256
3ba608a957bfeae083cdc38160286ac7220400d87727a4e3615ec00121ed109b

SHA512
4b8ff09cf9972d41b5d0f2e1c73dd0c987bab7b639136ecff9e39d286969c69bec9ae7151c5001d6ea630fe53b60ede6aae9e07f6ef4c044276d2e7641b7a150

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2340Xv.exe
Filesize
260KB

MD5
ab0a28761f613c9269d1d532edd42d73

SHA1
8b6c58f4e6a2c06be5ffd94f4842f767ef85541e

SHA256
3ba608a957bfeae083cdc38160286ac7220400d87727a4e3615ec00121ed109b

SHA512
4b8ff09cf9972d41b5d0f2e1c73dd0c987bab7b639136ecff9e39d286969c69bec9ae7151c5001d6ea630fe53b60ede6aae9e07f6ef4c044276d2e7641b7a150

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
f23e888ad25113e07450076967a4be5b

SHA1
bbde308811d8ec266fadc47a691a031b40fba009

SHA256
17364dd4397cb02823f726d7427d6dcd31e8595e7dd7a8275bb1d3e7089c37d5

SHA512
ddb95e9ed2a49ec63bda1d4c53d6d783e429ece732ee27dd6f7c3f4d77bf8c0941e829a9dbb14cd9f73d4ca86b65be4405521d6128796a042063d8b00cc16259

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
f23e888ad25113e07450076967a4be5b

SHA1
bbde308811d8ec266fadc47a691a031b40fba009

SHA256
17364dd4397cb02823f726d7427d6dcd31e8595e7dd7a8275bb1d3e7089c37d5

SHA512
ddb95e9ed2a49ec63bda1d4c53d6d783e429ece732ee27dd6f7c3f4d77bf8c0941e829a9dbb14cd9f73d4ca86b65be4405521d6128796a042063d8b00cc16259

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
f23e888ad25113e07450076967a4be5b

SHA1
bbde308811d8ec266fadc47a691a031b40fba009

SHA256
17364dd4397cb02823f726d7427d6dcd31e8595e7dd7a8275bb1d3e7089c37d5

SHA512
ddb95e9ed2a49ec63bda1d4c53d6d783e429ece732ee27dd6f7c3f4d77bf8c0941e829a9dbb14cd9f73d4ca86b65be4405521d6128796a042063d8b00cc16259

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
f23e888ad25113e07450076967a4be5b

SHA1
bbde308811d8ec266fadc47a691a031b40fba009

SHA256
17364dd4397cb02823f726d7427d6dcd31e8595e7dd7a8275bb1d3e7089c37d5

SHA512
ddb95e9ed2a49ec63bda1d4c53d6d783e429ece732ee27dd6f7c3f4d77bf8c0941e829a9dbb14cd9f73d4ca86b65be4405521d6128796a042063d8b00cc16259

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
f23e888ad25113e07450076967a4be5b

SHA1
bbde308811d8ec266fadc47a691a031b40fba009

SHA256
17364dd4397cb02823f726d7427d6dcd31e8595e7dd7a8275bb1d3e7089c37d5

SHA512
ddb95e9ed2a49ec63bda1d4c53d6d783e429ece732ee27dd6f7c3f4d77bf8c0941e829a9dbb14cd9f73d4ca86b65be4405521d6128796a042063d8b00cc16259

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/528-1141-0x0000000000370000-0x00000000003A2000-memory.dmp

Filesize
200KB

Download
memory/528-1142-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/528-1143-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1408-1126-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/1408-247-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-1135-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1408-1134-0x0000000006FC0000-0x0000000007010000-memory.dmp

Filesize
320KB

Download
memory/1408-1133-0x0000000006F20000-0x0000000006F96000-memory.dmp

Filesize
472KB

Download
memory/1408-1130-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1408-1131-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1408-1132-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1408-1129-0x00000000068D0000-0x0000000006DFC000-memory.dmp

Filesize
5.2MB

Download
memory/1408-1128-0x00000000066F0000-0x00000000068B2000-memory.dmp

Filesize
1.8MB

Download
memory/1408-210-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-211-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-213-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-215-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-217-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-219-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-221-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-225-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-223-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-227-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-229-0x0000000002140000-0x000000000218B000-memory.dmp

Filesize
300KB

Download
memory/1408-231-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-230-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1408-233-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1408-235-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1408-234-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-239-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-237-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-241-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-243-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-245-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/1408-1125-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/1408-1120-0x00000000052A0000-0x00000000058B8000-memory.dmp

Filesize
6.1MB

Download
memory/1408-1121-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download
memory/1408-1122-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/1408-1123-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1408-1124-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/3732-187-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-195-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-185-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-183-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-205-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3732-203-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3732-202-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3732-201-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3732-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3732-199-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3732-191-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-189-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-198-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3732-193-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-197-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-181-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-177-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-179-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-175-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-173-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-171-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-170-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3732-169-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/3732-168-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3732-167-0x0000000000620000-0x000000000064D000-memory.dmp

Filesize
180KB

Download
memory/4244-161-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download