amadey | c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exe
Size

1000KB
MD5

b7aa93e1b333f7ae5217bdce72fd1f77
SHA1

be1850d39528fc73923791bbadea658f329f6643
SHA256

c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3
SHA512

a0f955f081c1b600be63d12f3e0be81f43babe5846787b84f0474ed7882388350a1f6a60dd311158ec6ab8f3073e3cd1667d0be960b21ab63fbea60cb904be81
SSDEEP

12288:FMr7y90SnwLjcR36QYkNSsTMk0NTvyhMG69SWxhEeBVOJcKTbZDb89vn0w84mPJ1:6y1nYcR364NSsIohSxROOKT1bE81dRf

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz3560.exev5544Oy.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz3560.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5544Oy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5544Oy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5544Oy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz3560.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz3560.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz3560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v5544Oy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5544Oy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5544Oy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz3560.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz3560.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/624-210-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-209-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-212-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-214-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-216-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-218-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-220-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-224-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-222-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-226-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-228-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-230-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-232-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-234-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-236-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-238-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-240-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-242-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/624-584-0x0000000002670000-0x0000000002680000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y72CW22.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y72CW22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap1383.exezap0990.exezap3577.exetz3560.exev5544Oy.exew11NI60.exexrwYI82.exey72CW22.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
4288	zap1383.exe
2928	zap0990.exe
3820	zap3577.exe
748	tz3560.exe
320	v5544Oy.exe
624	w11NI60.exe
4764	xrwYI82.exe
4424	y72CW22.exe
4748	oneetx.exe
5064	oneetx.exe
1800	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4116 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4116	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz3560.exev5544Oy.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz3560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5544Oy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5544Oy.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exezap1383.exezap0990.exezap3577.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1383.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1383.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0990.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap0990.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3577.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3577.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1496 320 WerFault.exe v5544Oy.exe
3712 624 WerFault.exe w11NI60.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5016 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz3560.exev5544Oy.exew11NI60.exexrwYI82.exe

pid process

748 tz3560.exe
748 tz3560.exe
320 v5544Oy.exe
320 v5544Oy.exe
624 w11NI60.exe
624 w11NI60.exe
4764 xrwYI82.exe
4764 xrwYI82.exe

pid	pid_target	process	target process
1496	320	WerFault.exe	v5544Oy.exe
3712	624	WerFault.exe	w11NI60.exe

pid	process
5016	schtasks.exe

pid	process
748	tz3560.exe
748	tz3560.exe
320	v5544Oy.exe
320	v5544Oy.exe
624	w11NI60.exe
624	w11NI60.exe
4764	xrwYI82.exe
4764	xrwYI82.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz3560.exev5544Oy.exew11NI60.exexrwYI82.exe

description	pid	process
Token: SeDebugPrivilege	748	tz3560.exe
Token: SeDebugPrivilege	320	v5544Oy.exe
Token: SeDebugPrivilege	624	w11NI60.exe
Token: SeDebugPrivilege	4764	xrwYI82.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y72CW22.exe

pid process

4424 y72CW22.exe

pid	process
4424	y72CW22.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exezap1383.exezap0990.exezap3577.exey72CW22.exeoneetx.execmd.exe

description	pid	process	target process
PID 2372 wrote to memory of 4288	2372	c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exe	zap1383.exe
PID 2372 wrote to memory of 4288	2372	c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exe	zap1383.exe
PID 2372 wrote to memory of 4288	2372	c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exe	zap1383.exe
PID 4288 wrote to memory of 2928	4288	zap1383.exe	zap0990.exe
PID 4288 wrote to memory of 2928	4288	zap1383.exe	zap0990.exe
PID 4288 wrote to memory of 2928	4288	zap1383.exe	zap0990.exe
PID 2928 wrote to memory of 3820	2928	zap0990.exe	zap3577.exe
PID 2928 wrote to memory of 3820	2928	zap0990.exe	zap3577.exe
PID 2928 wrote to memory of 3820	2928	zap0990.exe	zap3577.exe
PID 3820 wrote to memory of 748	3820	zap3577.exe	tz3560.exe
PID 3820 wrote to memory of 748	3820	zap3577.exe	tz3560.exe
PID 3820 wrote to memory of 320	3820	zap3577.exe	v5544Oy.exe
PID 3820 wrote to memory of 320	3820	zap3577.exe	v5544Oy.exe
PID 3820 wrote to memory of 320	3820	zap3577.exe	v5544Oy.exe
PID 2928 wrote to memory of 624	2928	zap0990.exe	w11NI60.exe
PID 2928 wrote to memory of 624	2928	zap0990.exe	w11NI60.exe
PID 2928 wrote to memory of 624	2928	zap0990.exe	w11NI60.exe
PID 4288 wrote to memory of 4764	4288	zap1383.exe	xrwYI82.exe
PID 4288 wrote to memory of 4764	4288	zap1383.exe	xrwYI82.exe
PID 4288 wrote to memory of 4764	4288	zap1383.exe	xrwYI82.exe
PID 2372 wrote to memory of 4424	2372	c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exe	y72CW22.exe
PID 2372 wrote to memory of 4424	2372	c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exe	y72CW22.exe
PID 2372 wrote to memory of 4424	2372	c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exe	y72CW22.exe
PID 4424 wrote to memory of 4748	4424	y72CW22.exe	oneetx.exe
PID 4424 wrote to memory of 4748	4424	y72CW22.exe	oneetx.exe
PID 4424 wrote to memory of 4748	4424	y72CW22.exe	oneetx.exe
PID 4748 wrote to memory of 5016	4748	oneetx.exe	schtasks.exe
PID 4748 wrote to memory of 5016	4748	oneetx.exe	schtasks.exe
PID 4748 wrote to memory of 5016	4748	oneetx.exe	schtasks.exe
PID 4748 wrote to memory of 2200	4748	oneetx.exe	cmd.exe
PID 4748 wrote to memory of 2200	4748	oneetx.exe	cmd.exe
PID 4748 wrote to memory of 2200	4748	oneetx.exe	cmd.exe
PID 2200 wrote to memory of 1836	2200	cmd.exe	cmd.exe
PID 2200 wrote to memory of 1836	2200	cmd.exe	cmd.exe
PID 2200 wrote to memory of 1836	2200	cmd.exe	cmd.exe
PID 2200 wrote to memory of 4188	2200	cmd.exe	cacls.exe
PID 2200 wrote to memory of 4188	2200	cmd.exe	cacls.exe
PID 2200 wrote to memory of 4188	2200	cmd.exe	cacls.exe
PID 2200 wrote to memory of 4224	2200	cmd.exe	cacls.exe
PID 2200 wrote to memory of 4224	2200	cmd.exe	cacls.exe
PID 2200 wrote to memory of 4224	2200	cmd.exe	cacls.exe
PID 2200 wrote to memory of 1440	2200	cmd.exe	cmd.exe
PID 2200 wrote to memory of 1440	2200	cmd.exe	cmd.exe
PID 2200 wrote to memory of 1440	2200	cmd.exe	cmd.exe
PID 2200 wrote to memory of 4940	2200	cmd.exe	cacls.exe
PID 2200 wrote to memory of 4940	2200	cmd.exe	cacls.exe
PID 2200 wrote to memory of 4940	2200	cmd.exe	cacls.exe
PID 2200 wrote to memory of 2536	2200	cmd.exe	cacls.exe
PID 2200 wrote to memory of 2536	2200	cmd.exe	cacls.exe
PID 2200 wrote to memory of 2536	2200	cmd.exe	cacls.exe
PID 4748 wrote to memory of 4116	4748	oneetx.exe	rundll32.exe
PID 4748 wrote to memory of 4116	4748	oneetx.exe	rundll32.exe
PID 4748 wrote to memory of 4116	4748	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exe
"C:\Users\Admin\AppData\Local\Temp\c7c8ccc2f96aa211ba2e8484aeef709e21074594c353ebc42ef50f168e0590e3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1383.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1383.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0990.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0990.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3577.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3577.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3560.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3560.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5544Oy.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5544Oy.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1084
6⤵
- Program crash
PID:1496

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11NI60.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11NI60.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1336
5⤵
- Program crash
PID:3712

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xrwYI82.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xrwYI82.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y72CW22.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y72CW22.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:5016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1836

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:4188

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1440

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:4940

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:2536

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 320 -ip 320
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 624 -ip 624
1⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y72CW22.exe
Filesize
236KB

MD5
3296213ea91da028ed52d9216e5534c9

SHA1
37e68112d1f3801976255828801cfada2659da09

SHA256
314259dff86406a9158dfddd260c067545721ce861812020312dc953bc022a8c

SHA512
e6172d04f78ef38a26f3208fe7e079fac2c14278d12d7f3efdb05372dba67f4807d2cc616974709b3005113b3f7586f79b2c8b6532b761aeed508a44dcd9eb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y72CW22.exe
Filesize
236KB

MD5
3296213ea91da028ed52d9216e5534c9

SHA1
37e68112d1f3801976255828801cfada2659da09

SHA256
314259dff86406a9158dfddd260c067545721ce861812020312dc953bc022a8c

SHA512
e6172d04f78ef38a26f3208fe7e079fac2c14278d12d7f3efdb05372dba67f4807d2cc616974709b3005113b3f7586f79b2c8b6532b761aeed508a44dcd9eb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1383.exe
Filesize
816KB

MD5
17408637e81d2cf411b997923bee4977

SHA1
49bae734c8e8bdc287a87478a637a2672c702251

SHA256
b611e69f1f615aaa5fa1e2dde3a032f75b8f1b6071f494ea3a41dba8550a9795

SHA512
0c5677350b89fecb89623b59abcc52c7c4a492047424ba923b8622adcf7ceccc55541a2f0ca2d3fca97cc75e620e53f1b295d674af5c7eb9aaf0674c8bdcbb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1383.exe
Filesize
816KB

MD5
17408637e81d2cf411b997923bee4977

SHA1
49bae734c8e8bdc287a87478a637a2672c702251

SHA256
b611e69f1f615aaa5fa1e2dde3a032f75b8f1b6071f494ea3a41dba8550a9795

SHA512
0c5677350b89fecb89623b59abcc52c7c4a492047424ba923b8622adcf7ceccc55541a2f0ca2d3fca97cc75e620e53f1b295d674af5c7eb9aaf0674c8bdcbb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xrwYI82.exe
Filesize
175KB

MD5
6000998f9bae7349002cb7f82185b8fa

SHA1
472f67f497281db12e48b11711f4e8fdbd782b62

SHA256
ac97aac4c2971c633087dfb62f223d2df2f5b3cd66c3d6a251c7e05467814d94

SHA512
74cebea2923cfd767253903385c1893d597075941af26f50b38fb9149d5a2a7034e8ea12dd366e84bdef952af7cd7b87d5dd490a856e7e07f600d8852c08b699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xrwYI82.exe
Filesize
175KB

MD5
6000998f9bae7349002cb7f82185b8fa

SHA1
472f67f497281db12e48b11711f4e8fdbd782b62

SHA256
ac97aac4c2971c633087dfb62f223d2df2f5b3cd66c3d6a251c7e05467814d94

SHA512
74cebea2923cfd767253903385c1893d597075941af26f50b38fb9149d5a2a7034e8ea12dd366e84bdef952af7cd7b87d5dd490a856e7e07f600d8852c08b699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0990.exe
Filesize
674KB

MD5
3dd3feb04dcccb2ff6a961bf7bd3a8cf

SHA1
29e2b76882bdf57f1cf6e8869d5f578d1e439d4e

SHA256
8dbfd765ffe115af8aec486204e3e12a0aafd92fcea448aa539069cfaf47bc30

SHA512
c07d5c8c764719d4c283ac58d9ae46edc23bccb10e78bef23b7ca6f4dffc30f2d1bf384a13425bec757d00ed6e02a1c25b4ffd05f84ecbc5d40b71faddd9ce33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0990.exe
Filesize
674KB

MD5
3dd3feb04dcccb2ff6a961bf7bd3a8cf

SHA1
29e2b76882bdf57f1cf6e8869d5f578d1e439d4e

SHA256
8dbfd765ffe115af8aec486204e3e12a0aafd92fcea448aa539069cfaf47bc30

SHA512
c07d5c8c764719d4c283ac58d9ae46edc23bccb10e78bef23b7ca6f4dffc30f2d1bf384a13425bec757d00ed6e02a1c25b4ffd05f84ecbc5d40b71faddd9ce33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11NI60.exe
Filesize
318KB

MD5
960a225032e4be1bd5f86599a4d846a5

SHA1
b57c29a6cd3c9040f8f6e47c4442f0498539867e

SHA256
9497feccf0241961751aaeac7fd96cff7fd313195d6be2e6d24d7a4dec5463a9

SHA512
c11f7710919d7bae87b9b0a109a9e940840b280ce82924514d27ead71e5030dbfcceabf5daf66e59e04cebeaa2af621d6582e5909e489bb571fa45e382149552

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11NI60.exe
Filesize
318KB

MD5
960a225032e4be1bd5f86599a4d846a5

SHA1
b57c29a6cd3c9040f8f6e47c4442f0498539867e

SHA256
9497feccf0241961751aaeac7fd96cff7fd313195d6be2e6d24d7a4dec5463a9

SHA512
c11f7710919d7bae87b9b0a109a9e940840b280ce82924514d27ead71e5030dbfcceabf5daf66e59e04cebeaa2af621d6582e5909e489bb571fa45e382149552

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3577.exe
Filesize
334KB

MD5
217f1f9336186e7b77ead98c7d42b2b1

SHA1
8f8a2a082fad1495243e6516ca9fad0f052c656d

SHA256
2429bb60b322f3175d7d4689fd329bc561e132ad03614793a6040cc1aac92bdc

SHA512
8b7d970de32518b93b4a9797e93d5cf5f45c6e79d76e0bf832227a259239e3d221560ea32b62f96fa3a99dfc5231ac2c97df582fa3f519056c6d29777a0f383f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3577.exe
Filesize
334KB

MD5
217f1f9336186e7b77ead98c7d42b2b1

SHA1
8f8a2a082fad1495243e6516ca9fad0f052c656d

SHA256
2429bb60b322f3175d7d4689fd329bc561e132ad03614793a6040cc1aac92bdc

SHA512
8b7d970de32518b93b4a9797e93d5cf5f45c6e79d76e0bf832227a259239e3d221560ea32b62f96fa3a99dfc5231ac2c97df582fa3f519056c6d29777a0f383f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3560.exe
Filesize
11KB

MD5
0a6f7211f62d7f315875f132c64d271d

SHA1
11ed0ff7128193405ffacd1fea366847a8688ddb

SHA256
6b7fc1cc485263cbba88da6e0bc1990aa8de25e6b1fff302ed06978d8ea7cf21

SHA512
0240ffe944eadbdb6e573c4660c7a2da64992351549881799dacbb7a4c8dff3cd8f16c1b52bafcad80ba5cfb8e334cf8784f0c5190ce1d78668494be01ba4633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3560.exe
Filesize
11KB

MD5
0a6f7211f62d7f315875f132c64d271d

SHA1
11ed0ff7128193405ffacd1fea366847a8688ddb

SHA256
6b7fc1cc485263cbba88da6e0bc1990aa8de25e6b1fff302ed06978d8ea7cf21

SHA512
0240ffe944eadbdb6e573c4660c7a2da64992351549881799dacbb7a4c8dff3cd8f16c1b52bafcad80ba5cfb8e334cf8784f0c5190ce1d78668494be01ba4633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5544Oy.exe
Filesize
260KB

MD5
88796d64d15c7b240ae5f8924a9f0142

SHA1
52735b980ee64a993bbbe5ded6f9052f4a286041

SHA256
cc2c934534293c5f429049ef1708cf88c135d420111c8b2078739e53d27fa822

SHA512
7448706ec29ac6afeb16703e97746b20168b21439f5f3367acbc12899b822f4dd2b01da0c2c4502fae3d19669d1c775a43194bf267106a89288f8ba6ab6fc3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5544Oy.exe
Filesize
260KB

MD5
88796d64d15c7b240ae5f8924a9f0142

SHA1
52735b980ee64a993bbbe5ded6f9052f4a286041

SHA256
cc2c934534293c5f429049ef1708cf88c135d420111c8b2078739e53d27fa822

SHA512
7448706ec29ac6afeb16703e97746b20168b21439f5f3367acbc12899b822f4dd2b01da0c2c4502fae3d19669d1c775a43194bf267106a89288f8ba6ab6fc3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
3296213ea91da028ed52d9216e5534c9

SHA1
37e68112d1f3801976255828801cfada2659da09

SHA256
314259dff86406a9158dfddd260c067545721ce861812020312dc953bc022a8c

SHA512
e6172d04f78ef38a26f3208fe7e079fac2c14278d12d7f3efdb05372dba67f4807d2cc616974709b3005113b3f7586f79b2c8b6532b761aeed508a44dcd9eb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
3296213ea91da028ed52d9216e5534c9

SHA1
37e68112d1f3801976255828801cfada2659da09

SHA256
314259dff86406a9158dfddd260c067545721ce861812020312dc953bc022a8c

SHA512
e6172d04f78ef38a26f3208fe7e079fac2c14278d12d7f3efdb05372dba67f4807d2cc616974709b3005113b3f7586f79b2c8b6532b761aeed508a44dcd9eb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
3296213ea91da028ed52d9216e5534c9

SHA1
37e68112d1f3801976255828801cfada2659da09

SHA256
314259dff86406a9158dfddd260c067545721ce861812020312dc953bc022a8c

SHA512
e6172d04f78ef38a26f3208fe7e079fac2c14278d12d7f3efdb05372dba67f4807d2cc616974709b3005113b3f7586f79b2c8b6532b761aeed508a44dcd9eb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
3296213ea91da028ed52d9216e5534c9

SHA1
37e68112d1f3801976255828801cfada2659da09

SHA256
314259dff86406a9158dfddd260c067545721ce861812020312dc953bc022a8c

SHA512
e6172d04f78ef38a26f3208fe7e079fac2c14278d12d7f3efdb05372dba67f4807d2cc616974709b3005113b3f7586f79b2c8b6532b761aeed508a44dcd9eb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
3296213ea91da028ed52d9216e5534c9

SHA1
37e68112d1f3801976255828801cfada2659da09

SHA256
314259dff86406a9158dfddd260c067545721ce861812020312dc953bc022a8c

SHA512
e6172d04f78ef38a26f3208fe7e079fac2c14278d12d7f3efdb05372dba67f4807d2cc616974709b3005113b3f7586f79b2c8b6532b761aeed508a44dcd9eb8a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/320-167-0x0000000004AC0000-0x0000000005064000-memory.dmp

Filesize
5.6MB

Download
memory/320-193-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-195-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-196-0x0000000000630000-0x000000000065D000-memory.dmp

Filesize
180KB

Download
memory/320-197-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/320-198-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/320-199-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/320-201-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/320-202-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/320-203-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/320-204-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/320-191-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-189-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-187-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-185-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-183-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-181-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-179-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-177-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-175-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-173-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-171-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-169-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/320-168-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/624-222-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-1130-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/624-238-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-240-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-242-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-583-0x0000000002120000-0x000000000216B000-memory.dmp

Filesize
300KB

Download
memory/624-584-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/624-587-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/624-1118-0x0000000005220000-0x0000000005838000-memory.dmp

Filesize
6.1MB

Download
memory/624-1119-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/624-1120-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/624-1121-0x0000000005B00000-0x0000000005B3C000-memory.dmp

Filesize
240KB

Download
memory/624-1122-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/624-1123-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/624-1124-0x00000000063A0000-0x0000000006432000-memory.dmp

Filesize
584KB

Download
memory/624-1126-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/624-1127-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/624-1128-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/624-1129-0x0000000007760000-0x0000000007922000-memory.dmp

Filesize
1.8MB

Download
memory/624-236-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-1131-0x0000000007940000-0x0000000007E6C000-memory.dmp

Filesize
5.2MB

Download
memory/624-1132-0x0000000008190000-0x0000000008206000-memory.dmp

Filesize
472KB

Download
memory/624-1133-0x0000000008210000-0x0000000008260000-memory.dmp

Filesize
320KB

Download
memory/624-234-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-232-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-210-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-209-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-212-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-214-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-230-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-228-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-226-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-224-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-220-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-218-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/624-216-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/748-161-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/4764-1141-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/4764-1140-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/4764-1139-0x0000000000D50000-0x0000000000D82000-memory.dmp

Filesize
200KB

Download