amadey | f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5

Analysis

max time kernel
120s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exe
Size

999KB
MD5

47900a1b4085fac6475098d8cb2ef998
SHA1

0e36e758324925c32a7c4555868d790378149948
SHA256

f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5
SHA512

dca1b1f9498a6b6c71f94fcd3d0ffc8cb944727f4b0bf7e5af8c1ea5d509a07340ddd0d63a9e7021aebc291b6249c9e8c68c56c8b53eb837dc3c14d92913786c
SSDEEP

24576:oyjwbY1CiD4IUjyRTmympS4QNUV3gS3vtiP77eMgIFt:vjh1CiDfUG3TNIdft4HeMg

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz1120.exev0435QN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1120.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1120.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1120.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1120.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0435QN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0435QN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz1120.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1120.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0435QN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0435QN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0435QN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0435QN.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3368-215-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-219-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-217-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-221-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-213-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-223-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-225-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-227-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-229-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-231-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-235-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-233-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-237-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-239-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-241-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-243-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-245-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline
behavioral1/memory/3368-247-0x0000000006670000-0x00000000066AF000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y37IP55.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	y37IP55.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

zap4139.exezap2461.exezap6696.exetz1120.exev0435QN.exew96Gk46.exexbQQR42.exey37IP55.exeoneetx.exeoneetx.exe

pid	process
1008	zap4139.exe
4356	zap2461.exe
1860	zap6696.exe
4804	tz1120.exe
4420	v0435QN.exe
3368	w96Gk46.exe
4736	xbQQR42.exe
976	y37IP55.exe
4624	oneetx.exe
3480	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2372 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2372	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz1120.exev0435QN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1120.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0435QN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0435QN.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exezap4139.exezap2461.exezap6696.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4139.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap4139.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2461.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap2461.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6696.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap6696.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1124 4420 WerFault.exe v0435QN.exe
2348 3368 WerFault.exe w96Gk46.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3176 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz1120.exev0435QN.exew96Gk46.exexbQQR42.exe

pid process

4804 tz1120.exe
4804 tz1120.exe
4420 v0435QN.exe
4420 v0435QN.exe
3368 w96Gk46.exe
3368 w96Gk46.exe
4736 xbQQR42.exe
4736 xbQQR42.exe

pid	pid_target	process	target process
1124	4420	WerFault.exe	v0435QN.exe
2348	3368	WerFault.exe	w96Gk46.exe

pid	process
3176	schtasks.exe

pid	process
4804	tz1120.exe
4804	tz1120.exe
4420	v0435QN.exe
4420	v0435QN.exe
3368	w96Gk46.exe
3368	w96Gk46.exe
4736	xbQQR42.exe
4736	xbQQR42.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz1120.exev0435QN.exew96Gk46.exexbQQR42.exe

description	pid	process
Token: SeDebugPrivilege	4804	tz1120.exe
Token: SeDebugPrivilege	4420	v0435QN.exe
Token: SeDebugPrivilege	3368	w96Gk46.exe
Token: SeDebugPrivilege	4736	xbQQR42.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y37IP55.exe

pid process

976 y37IP55.exe

pid	process
976	y37IP55.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exezap4139.exezap2461.exezap6696.exey37IP55.exeoneetx.execmd.exe

description	pid	process	target process
PID 3816 wrote to memory of 1008	3816	f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exe	zap4139.exe
PID 3816 wrote to memory of 1008	3816	f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exe	zap4139.exe
PID 3816 wrote to memory of 1008	3816	f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exe	zap4139.exe
PID 1008 wrote to memory of 4356	1008	zap4139.exe	zap2461.exe
PID 1008 wrote to memory of 4356	1008	zap4139.exe	zap2461.exe
PID 1008 wrote to memory of 4356	1008	zap4139.exe	zap2461.exe
PID 4356 wrote to memory of 1860	4356	zap2461.exe	zap6696.exe
PID 4356 wrote to memory of 1860	4356	zap2461.exe	zap6696.exe
PID 4356 wrote to memory of 1860	4356	zap2461.exe	zap6696.exe
PID 1860 wrote to memory of 4804	1860	zap6696.exe	tz1120.exe
PID 1860 wrote to memory of 4804	1860	zap6696.exe	tz1120.exe
PID 1860 wrote to memory of 4420	1860	zap6696.exe	v0435QN.exe
PID 1860 wrote to memory of 4420	1860	zap6696.exe	v0435QN.exe
PID 1860 wrote to memory of 4420	1860	zap6696.exe	v0435QN.exe
PID 4356 wrote to memory of 3368	4356	zap2461.exe	w96Gk46.exe
PID 4356 wrote to memory of 3368	4356	zap2461.exe	w96Gk46.exe
PID 4356 wrote to memory of 3368	4356	zap2461.exe	w96Gk46.exe
PID 1008 wrote to memory of 4736	1008	zap4139.exe	xbQQR42.exe
PID 1008 wrote to memory of 4736	1008	zap4139.exe	xbQQR42.exe
PID 1008 wrote to memory of 4736	1008	zap4139.exe	xbQQR42.exe
PID 3816 wrote to memory of 976	3816	f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exe	y37IP55.exe
PID 3816 wrote to memory of 976	3816	f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exe	y37IP55.exe
PID 3816 wrote to memory of 976	3816	f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exe	y37IP55.exe
PID 976 wrote to memory of 4624	976	y37IP55.exe	oneetx.exe
PID 976 wrote to memory of 4624	976	y37IP55.exe	oneetx.exe
PID 976 wrote to memory of 4624	976	y37IP55.exe	oneetx.exe
PID 4624 wrote to memory of 3176	4624	oneetx.exe	schtasks.exe
PID 4624 wrote to memory of 3176	4624	oneetx.exe	schtasks.exe
PID 4624 wrote to memory of 3176	4624	oneetx.exe	schtasks.exe
PID 4624 wrote to memory of 4812	4624	oneetx.exe	cmd.exe
PID 4624 wrote to memory of 4812	4624	oneetx.exe	cmd.exe
PID 4624 wrote to memory of 4812	4624	oneetx.exe	cmd.exe
PID 4812 wrote to memory of 4412	4812	cmd.exe	cmd.exe
PID 4812 wrote to memory of 4412	4812	cmd.exe	cmd.exe
PID 4812 wrote to memory of 4412	4812	cmd.exe	cmd.exe
PID 4812 wrote to memory of 2388	4812	cmd.exe	cacls.exe
PID 4812 wrote to memory of 2388	4812	cmd.exe	cacls.exe
PID 4812 wrote to memory of 2388	4812	cmd.exe	cacls.exe
PID 4812 wrote to memory of 4640	4812	cmd.exe	cacls.exe
PID 4812 wrote to memory of 4640	4812	cmd.exe	cacls.exe
PID 4812 wrote to memory of 4640	4812	cmd.exe	cacls.exe
PID 4812 wrote to memory of 3964	4812	cmd.exe	cmd.exe
PID 4812 wrote to memory of 3964	4812	cmd.exe	cmd.exe
PID 4812 wrote to memory of 3964	4812	cmd.exe	cmd.exe
PID 4812 wrote to memory of 3724	4812	cmd.exe	cacls.exe
PID 4812 wrote to memory of 3724	4812	cmd.exe	cacls.exe
PID 4812 wrote to memory of 3724	4812	cmd.exe	cacls.exe
PID 4812 wrote to memory of 528	4812	cmd.exe	cacls.exe
PID 4812 wrote to memory of 528	4812	cmd.exe	cacls.exe
PID 4812 wrote to memory of 528	4812	cmd.exe	cacls.exe
PID 4624 wrote to memory of 2372	4624	oneetx.exe	rundll32.exe
PID 4624 wrote to memory of 2372	4624	oneetx.exe	rundll32.exe
PID 4624 wrote to memory of 2372	4624	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exe
"C:\Users\Admin\AppData\Local\Temp\f0eabdbb98604f87ae6699fd1ead61938cdbb573f4a30564f9eeea4040548cf5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4139.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4139.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2461.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2461.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4356

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6696.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6696.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1120.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1120.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0435QN.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0435QN.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1080
6⤵
- Program crash
PID:1124

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w96Gk46.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w96Gk46.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 1860
5⤵
- Program crash
PID:2348

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbQQR42.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbQQR42.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y37IP55.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y37IP55.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:3176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4412

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:2388

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3964

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:3724

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:528

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4420 -ip 4420
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3368 -ip 3368
1⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:3480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y37IP55.exe
Filesize
236KB

MD5
993dda15b7bd28ddc6098f666fcdc4ca

SHA1
d6716e52c9f398e08230896572e61e447560dc9b

SHA256
a168dd2be9de5524a9d15af9641bdf41b0b4ada8b7f6f924a91ef11d751e5360

SHA512
bbb8ff813145586d92774d3a08e081d23830505da061313792008835f184abcdf7310bb0bf118946a122cbb18ccd72f07bb0e3433a852ae28803ade13eed8a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y37IP55.exe
Filesize
236KB

MD5
993dda15b7bd28ddc6098f666fcdc4ca

SHA1
d6716e52c9f398e08230896572e61e447560dc9b

SHA256
a168dd2be9de5524a9d15af9641bdf41b0b4ada8b7f6f924a91ef11d751e5360

SHA512
bbb8ff813145586d92774d3a08e081d23830505da061313792008835f184abcdf7310bb0bf118946a122cbb18ccd72f07bb0e3433a852ae28803ade13eed8a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4139.exe
Filesize
815KB

MD5
8e1eb513b496d636cc84fd60b938ac8b

SHA1
af87cf0fd192d915a23a348f89a84b012e3fe042

SHA256
cd6982f047189f8604b3665789aa9c682c27f52ce7805727c733806436e590f0

SHA512
9ec906156c149610faececfa9bd37785165a11ac4bc7da6a5ea3f266d588ab509f7d364cd04a1bcde62dc26408e83b52e2733069cfc2aa1e3b35fc9462763b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4139.exe
Filesize
815KB

MD5
8e1eb513b496d636cc84fd60b938ac8b

SHA1
af87cf0fd192d915a23a348f89a84b012e3fe042

SHA256
cd6982f047189f8604b3665789aa9c682c27f52ce7805727c733806436e590f0

SHA512
9ec906156c149610faececfa9bd37785165a11ac4bc7da6a5ea3f266d588ab509f7d364cd04a1bcde62dc26408e83b52e2733069cfc2aa1e3b35fc9462763b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbQQR42.exe
Filesize
175KB

MD5
fe69d07b8f0134f1792c441c234f7fd2

SHA1
fdd1c13035936b94144d4720a36380a2c82a3090

SHA256
758195bc68d04f406a5a34aae5dfa0ba531053e63ef5631f62eefc03e93c5314

SHA512
c6093f8d43917af8026d8d7be0ff7fcd4892de521083225badade5320122f4fc9ed059bd06a5f4ad3c4165eb9f7af89457fbaa1df26e1ee16e11acb4d8b03cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbQQR42.exe
Filesize
175KB

MD5
fe69d07b8f0134f1792c441c234f7fd2

SHA1
fdd1c13035936b94144d4720a36380a2c82a3090

SHA256
758195bc68d04f406a5a34aae5dfa0ba531053e63ef5631f62eefc03e93c5314

SHA512
c6093f8d43917af8026d8d7be0ff7fcd4892de521083225badade5320122f4fc9ed059bd06a5f4ad3c4165eb9f7af89457fbaa1df26e1ee16e11acb4d8b03cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2461.exe
Filesize
673KB

MD5
32a513804d9954093c7165e17edde795

SHA1
58d025c1afc4789235550dc7ef796a435595290b

SHA256
1607822dfcb64e1ec97acb28974aa9529aab3ca3d5408d6017b22544b4fcb2e6

SHA512
b0941c4ab0cfb1bcc58c2cdd529ef3f129da89962de3e12733bb6a9bda77a936d24f6b1e5fcf09067c1cebc1750c9ac793691d6bdcc3898d391d037c93afd7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2461.exe
Filesize
673KB

MD5
32a513804d9954093c7165e17edde795

SHA1
58d025c1afc4789235550dc7ef796a435595290b

SHA256
1607822dfcb64e1ec97acb28974aa9529aab3ca3d5408d6017b22544b4fcb2e6

SHA512
b0941c4ab0cfb1bcc58c2cdd529ef3f129da89962de3e12733bb6a9bda77a936d24f6b1e5fcf09067c1cebc1750c9ac793691d6bdcc3898d391d037c93afd7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w96Gk46.exe
Filesize
359KB

MD5
fc2c0e8a21b18d6baf4b2b6bfe66e9c0

SHA1
05f166cb7abd9c5138c42a1704cdce6cd5b20be5

SHA256
40a1539b90b74b2c760720e96471db8ac3c3a594200dd5b041a0edd92c308ed5

SHA512
9ee58b6d94a040da3a9f897475e06c25dbc2a812fc57e983e8f950d306c6deb6a3410cc65b0d91a558097da8b8a9846664537da3bc8286556fb81adcc68b1dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w96Gk46.exe
Filesize
359KB

MD5
fc2c0e8a21b18d6baf4b2b6bfe66e9c0

SHA1
05f166cb7abd9c5138c42a1704cdce6cd5b20be5

SHA256
40a1539b90b74b2c760720e96471db8ac3c3a594200dd5b041a0edd92c308ed5

SHA512
9ee58b6d94a040da3a9f897475e06c25dbc2a812fc57e983e8f950d306c6deb6a3410cc65b0d91a558097da8b8a9846664537da3bc8286556fb81adcc68b1dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6696.exe
Filesize
333KB

MD5
2ce453a4dc5a48b2e7d430f7d785d3d7

SHA1
a116a9fb6ec866cb03279de2deb3913f58eadd95

SHA256
70db75a65806bc666506efd664165c56f3641b8b12f345a7ccbd564e843f2ee0

SHA512
d6784e6e19ff973cef834abea9ffcf1aa7542ed7c4b1b631bff6eff849817ccba7e0f8a110785dfb0732c80587a6abbc9ee580f57942427223a6c33f33db456b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6696.exe
Filesize
333KB

MD5
2ce453a4dc5a48b2e7d430f7d785d3d7

SHA1
a116a9fb6ec866cb03279de2deb3913f58eadd95

SHA256
70db75a65806bc666506efd664165c56f3641b8b12f345a7ccbd564e843f2ee0

SHA512
d6784e6e19ff973cef834abea9ffcf1aa7542ed7c4b1b631bff6eff849817ccba7e0f8a110785dfb0732c80587a6abbc9ee580f57942427223a6c33f33db456b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1120.exe
Filesize
11KB

MD5
d6fadba142ba7f7fb1a8812b5cae8feb

SHA1
8d8852b20ea45a9e55ec0c7eae7918dd217c7ca4

SHA256
c405819e0f3d0ea0329863631425530a8f3455e2b565adec23ff8c36eaae6f40

SHA512
214ed41f7cf07293642bcbc5228281a42237d63b33ad8ded5d586587a98be3aa953638941daeb6e2ae4ee1b1ee4b5328fbed14da1a639d5874340d9529e4332f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1120.exe
Filesize
11KB

MD5
d6fadba142ba7f7fb1a8812b5cae8feb

SHA1
8d8852b20ea45a9e55ec0c7eae7918dd217c7ca4

SHA256
c405819e0f3d0ea0329863631425530a8f3455e2b565adec23ff8c36eaae6f40

SHA512
214ed41f7cf07293642bcbc5228281a42237d63b33ad8ded5d586587a98be3aa953638941daeb6e2ae4ee1b1ee4b5328fbed14da1a639d5874340d9529e4332f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0435QN.exe
Filesize
301KB

MD5
c282c5b13e884d3e04348df0e0a4575d

SHA1
91dcd6b1138758147c8c53f1b4ca9bc4334aae29

SHA256
dec76bc729f1f1902fd02fa135fbfb8b293ddfaa0e6e5e6cb7978ab878325260

SHA512
f4e5a317cb7401b98f0f0cfe2d75ade133157d1b3e8352c7f027895910ab688a79ee14d3020cdde97c614eeeabe7dfc19f998466754b3265ecf546f2967d0a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0435QN.exe
Filesize
301KB

MD5
c282c5b13e884d3e04348df0e0a4575d

SHA1
91dcd6b1138758147c8c53f1b4ca9bc4334aae29

SHA256
dec76bc729f1f1902fd02fa135fbfb8b293ddfaa0e6e5e6cb7978ab878325260

SHA512
f4e5a317cb7401b98f0f0cfe2d75ade133157d1b3e8352c7f027895910ab688a79ee14d3020cdde97c614eeeabe7dfc19f998466754b3265ecf546f2967d0a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
993dda15b7bd28ddc6098f666fcdc4ca

SHA1
d6716e52c9f398e08230896572e61e447560dc9b

SHA256
a168dd2be9de5524a9d15af9641bdf41b0b4ada8b7f6f924a91ef11d751e5360

SHA512
bbb8ff813145586d92774d3a08e081d23830505da061313792008835f184abcdf7310bb0bf118946a122cbb18ccd72f07bb0e3433a852ae28803ade13eed8a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
993dda15b7bd28ddc6098f666fcdc4ca

SHA1
d6716e52c9f398e08230896572e61e447560dc9b

SHA256
a168dd2be9de5524a9d15af9641bdf41b0b4ada8b7f6f924a91ef11d751e5360

SHA512
bbb8ff813145586d92774d3a08e081d23830505da061313792008835f184abcdf7310bb0bf118946a122cbb18ccd72f07bb0e3433a852ae28803ade13eed8a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
993dda15b7bd28ddc6098f666fcdc4ca

SHA1
d6716e52c9f398e08230896572e61e447560dc9b

SHA256
a168dd2be9de5524a9d15af9641bdf41b0b4ada8b7f6f924a91ef11d751e5360

SHA512
bbb8ff813145586d92774d3a08e081d23830505da061313792008835f184abcdf7310bb0bf118946a122cbb18ccd72f07bb0e3433a852ae28803ade13eed8a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
993dda15b7bd28ddc6098f666fcdc4ca

SHA1
d6716e52c9f398e08230896572e61e447560dc9b

SHA256
a168dd2be9de5524a9d15af9641bdf41b0b4ada8b7f6f924a91ef11d751e5360

SHA512
bbb8ff813145586d92774d3a08e081d23830505da061313792008835f184abcdf7310bb0bf118946a122cbb18ccd72f07bb0e3433a852ae28803ade13eed8a30

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/3368-1127-0x00000000073D0000-0x0000000007436000-memory.dmp

Filesize
408KB

Download
memory/3368-243-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-1135-0x0000000008610000-0x0000000008660000-memory.dmp

Filesize
320KB

Download
memory/3368-1134-0x0000000008570000-0x00000000085E6000-memory.dmp

Filesize
472KB

Download
memory/3368-1133-0x0000000007F20000-0x000000000844C000-memory.dmp

Filesize
5.2MB

Download
memory/3368-1132-0x0000000007D50000-0x0000000007F12000-memory.dmp

Filesize
1.8MB

Download
memory/3368-1131-0x0000000003C20000-0x0000000003C30000-memory.dmp

Filesize
64KB

Download
memory/3368-1130-0x0000000003C20000-0x0000000003C30000-memory.dmp

Filesize
64KB

Download
memory/3368-1129-0x0000000003C20000-0x0000000003C30000-memory.dmp

Filesize
64KB

Download
memory/3368-1128-0x0000000003C20000-0x0000000003C30000-memory.dmp

Filesize
64KB

Download
memory/3368-1126-0x0000000007330000-0x00000000073C2000-memory.dmp

Filesize
584KB

Download
memory/3368-1123-0x0000000003C20000-0x0000000003C30000-memory.dmp

Filesize
64KB

Download
memory/3368-1124-0x0000000007040000-0x000000000707C000-memory.dmp

Filesize
240KB

Download
memory/3368-1122-0x0000000007020000-0x0000000007032000-memory.dmp

Filesize
72KB

Download
memory/3368-210-0x0000000003770000-0x00000000037BB000-memory.dmp

Filesize
300KB

Download
memory/3368-211-0x0000000003C20000-0x0000000003C30000-memory.dmp

Filesize
64KB

Download
memory/3368-212-0x0000000003C20000-0x0000000003C30000-memory.dmp

Filesize
64KB

Download
memory/3368-214-0x0000000003C20000-0x0000000003C30000-memory.dmp

Filesize
64KB

Download
memory/3368-215-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-219-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-217-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-221-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-213-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-223-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-225-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-227-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-229-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-231-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-235-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-233-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-237-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-239-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-241-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-1121-0x0000000006EE0000-0x0000000006FEA000-memory.dmp

Filesize
1.0MB

Download
memory/3368-245-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-247-0x0000000006670000-0x00000000066AF000-memory.dmp

Filesize
252KB

Download
memory/3368-1120-0x0000000006840000-0x0000000006E58000-memory.dmp

Filesize
6.1MB

Download
memory/4420-184-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-204-0x0000000006290000-0x00000000062A0000-memory.dmp

Filesize
64KB

Download
memory/4420-186-0x0000000006290000-0x00000000062A0000-memory.dmp

Filesize
64KB

Download
memory/4420-205-0x0000000000400000-0x0000000001AE3000-memory.dmp

Filesize
22.9MB

Download
memory/4420-182-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-188-0x0000000006290000-0x00000000062A0000-memory.dmp

Filesize
64KB

Download
memory/4420-203-0x0000000006290000-0x00000000062A0000-memory.dmp

Filesize
64KB

Download
memory/4420-202-0x0000000006290000-0x00000000062A0000-memory.dmp

Filesize
64KB

Download
memory/4420-200-0x0000000000400000-0x0000000001AE3000-memory.dmp

Filesize
22.9MB

Download
memory/4420-199-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-197-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-167-0x0000000001C90000-0x0000000001CBD000-memory.dmp

Filesize
180KB

Download
memory/4420-193-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-191-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-187-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-190-0x0000000006290000-0x00000000062A0000-memory.dmp

Filesize
64KB

Download
memory/4420-195-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-168-0x00000000062A0000-0x0000000006844000-memory.dmp

Filesize
5.6MB

Download
memory/4420-169-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-180-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-178-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-176-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-174-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-172-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4420-170-0x0000000003C20000-0x0000000003C32000-memory.dmp

Filesize
72KB

Download
memory/4736-1143-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4736-1142-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4736-1141-0x00000000002C0000-0x00000000002F2000-memory.dmp

Filesize
200KB

Download
memory/4804-161-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

Filesize
40KB

Download