amadey | e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70

Analysis

max time kernel
114s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exe
Size

1000KB
MD5

3b7936481536ad678780e36a11c10053
SHA1

10266422006fa2c8e2a7e11556561b9232227377
SHA256

e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70
SHA512

06771c10b26116b32084a0242fe82e7c330bfa8e3b53a7183436141c48772bafd248865023bcb609a01d61eb8182e2708346cee7930558a0fcb3373a661f60a5
SSDEEP

24576:ky3MAUsdsQBY41GLp3m3Xmq/xGI2ssR7:z3Vt2mGLp2n4IA

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v5658wz.exetz9197.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5658wz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5658wz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz9197.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5658wz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz9197.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz9197.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz9197.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v5658wz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5658wz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5658wz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz9197.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz9197.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4764-210-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-212-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-217-0x0000000006170000-0x0000000006180000-memory.dmp	family_redline
behavioral1/memory/4764-216-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-219-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-221-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-223-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-225-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-227-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-229-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-231-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-233-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-237-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-235-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-239-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-241-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-243-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-245-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline
behavioral1/memory/4764-247-0x00000000060B0000-0x00000000060EF000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y05KF08.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y05KF08.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

zap4720.exezap1823.exezap7110.exetz9197.exev5658wz.exew30gg36.exextNCg88.exey05KF08.exeoneetx.exeoneetx.exe

pid	process
4164	zap4720.exe
3864	zap1823.exe
4348	zap7110.exe
4948	tz9197.exe
1652	v5658wz.exe
4764	w30gg36.exe
548	xtNCg88.exe
1400	y05KF08.exe
5060	oneetx.exe
3340	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5072 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5072	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz9197.exev5658wz.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz9197.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5658wz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5658wz.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap4720.exezap1823.exezap7110.exee2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap4720.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1823.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7110.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7110.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4784 1652 WerFault.exe v5658wz.exe
1748 4764 WerFault.exe w30gg36.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

460 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz9197.exev5658wz.exew30gg36.exextNCg88.exe

pid process

4948 tz9197.exe
4948 tz9197.exe
1652 v5658wz.exe
1652 v5658wz.exe
4764 w30gg36.exe
4764 w30gg36.exe
548 xtNCg88.exe
548 xtNCg88.exe

pid	pid_target	process	target process
4784	1652	WerFault.exe	v5658wz.exe
1748	4764	WerFault.exe	w30gg36.exe

pid	process
460	schtasks.exe

pid	process
4948	tz9197.exe
4948	tz9197.exe
1652	v5658wz.exe
1652	v5658wz.exe
4764	w30gg36.exe
4764	w30gg36.exe
548	xtNCg88.exe
548	xtNCg88.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz9197.exev5658wz.exew30gg36.exextNCg88.exe

description	pid	process
Token: SeDebugPrivilege	4948	tz9197.exe
Token: SeDebugPrivilege	1652	v5658wz.exe
Token: SeDebugPrivilege	4764	w30gg36.exe
Token: SeDebugPrivilege	548	xtNCg88.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y05KF08.exe

pid process

1400 y05KF08.exe

pid	process
1400	y05KF08.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exezap4720.exezap1823.exezap7110.exey05KF08.exeoneetx.execmd.exe

description	pid	process	target process
PID 5012 wrote to memory of 4164	5012	e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exe	zap4720.exe
PID 5012 wrote to memory of 4164	5012	e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exe	zap4720.exe
PID 5012 wrote to memory of 4164	5012	e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exe	zap4720.exe
PID 4164 wrote to memory of 3864	4164	zap4720.exe	zap1823.exe
PID 4164 wrote to memory of 3864	4164	zap4720.exe	zap1823.exe
PID 4164 wrote to memory of 3864	4164	zap4720.exe	zap1823.exe
PID 3864 wrote to memory of 4348	3864	zap1823.exe	zap7110.exe
PID 3864 wrote to memory of 4348	3864	zap1823.exe	zap7110.exe
PID 3864 wrote to memory of 4348	3864	zap1823.exe	zap7110.exe
PID 4348 wrote to memory of 4948	4348	zap7110.exe	tz9197.exe
PID 4348 wrote to memory of 4948	4348	zap7110.exe	tz9197.exe
PID 4348 wrote to memory of 1652	4348	zap7110.exe	v5658wz.exe
PID 4348 wrote to memory of 1652	4348	zap7110.exe	v5658wz.exe
PID 4348 wrote to memory of 1652	4348	zap7110.exe	v5658wz.exe
PID 3864 wrote to memory of 4764	3864	zap1823.exe	w30gg36.exe
PID 3864 wrote to memory of 4764	3864	zap1823.exe	w30gg36.exe
PID 3864 wrote to memory of 4764	3864	zap1823.exe	w30gg36.exe
PID 4164 wrote to memory of 548	4164	zap4720.exe	xtNCg88.exe
PID 4164 wrote to memory of 548	4164	zap4720.exe	xtNCg88.exe
PID 4164 wrote to memory of 548	4164	zap4720.exe	xtNCg88.exe
PID 5012 wrote to memory of 1400	5012	e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exe	y05KF08.exe
PID 5012 wrote to memory of 1400	5012	e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exe	y05KF08.exe
PID 5012 wrote to memory of 1400	5012	e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exe	y05KF08.exe
PID 1400 wrote to memory of 5060	1400	y05KF08.exe	oneetx.exe
PID 1400 wrote to memory of 5060	1400	y05KF08.exe	oneetx.exe
PID 1400 wrote to memory of 5060	1400	y05KF08.exe	oneetx.exe
PID 5060 wrote to memory of 460	5060	oneetx.exe	schtasks.exe
PID 5060 wrote to memory of 460	5060	oneetx.exe	schtasks.exe
PID 5060 wrote to memory of 460	5060	oneetx.exe	schtasks.exe
PID 5060 wrote to memory of 3704	5060	oneetx.exe	cmd.exe
PID 5060 wrote to memory of 3704	5060	oneetx.exe	cmd.exe
PID 5060 wrote to memory of 3704	5060	oneetx.exe	cmd.exe
PID 3704 wrote to memory of 676	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 676	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 676	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 1872	3704	cmd.exe	cacls.exe
PID 3704 wrote to memory of 1872	3704	cmd.exe	cacls.exe
PID 3704 wrote to memory of 1872	3704	cmd.exe	cacls.exe
PID 3704 wrote to memory of 3904	3704	cmd.exe	cacls.exe
PID 3704 wrote to memory of 3904	3704	cmd.exe	cacls.exe
PID 3704 wrote to memory of 3904	3704	cmd.exe	cacls.exe
PID 3704 wrote to memory of 4300	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 4300	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 4300	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 3616	3704	cmd.exe	cacls.exe
PID 3704 wrote to memory of 3616	3704	cmd.exe	cacls.exe
PID 3704 wrote to memory of 3616	3704	cmd.exe	cacls.exe
PID 3704 wrote to memory of 4028	3704	cmd.exe	cacls.exe
PID 3704 wrote to memory of 4028	3704	cmd.exe	cacls.exe
PID 3704 wrote to memory of 4028	3704	cmd.exe	cacls.exe
PID 5060 wrote to memory of 5072	5060	oneetx.exe	rundll32.exe
PID 5060 wrote to memory of 5072	5060	oneetx.exe	rundll32.exe
PID 5060 wrote to memory of 5072	5060	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exe
"C:\Users\Admin\AppData\Local\Temp\e2a6141dbe52a5017ba25f58db9b51adac008858ea9408593115741fa2e70d70.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4720.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4720.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4164

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1823.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1823.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3864

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7110.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7110.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9197.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9197.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5658wz.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5658wz.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1004
6⤵
- Program crash
PID:4784

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w30gg36.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w30gg36.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1348
5⤵
- Program crash
PID:1748

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xtNCg88.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xtNCg88.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y05KF08.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y05KF08.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:676

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:1872

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4300

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:3616

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:4028

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1652 -ip 1652
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4764 -ip 4764
1⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:3340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y05KF08.exe
Filesize
236KB

MD5
5140fb4ad835edc70b35fc2dff7795a5

SHA1
604e22ae9466e3248966bc075ca543726fe923cc

SHA256
e24f9837654ae1721e8804489a386530c5bdaef838465b6c5216ebc06a09a09f

SHA512
81cb04c6f2d95c4fc905ac311fc81dffd45d8fd381e9e15656ccb05c63df181d5f086e4e6f92a20e42dca8b9d4d1c7b9ae7f9003a086cc97a67c4875fc023512

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y05KF08.exe
Filesize
236KB

MD5
5140fb4ad835edc70b35fc2dff7795a5

SHA1
604e22ae9466e3248966bc075ca543726fe923cc

SHA256
e24f9837654ae1721e8804489a386530c5bdaef838465b6c5216ebc06a09a09f

SHA512
81cb04c6f2d95c4fc905ac311fc81dffd45d8fd381e9e15656ccb05c63df181d5f086e4e6f92a20e42dca8b9d4d1c7b9ae7f9003a086cc97a67c4875fc023512

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4720.exe
Filesize
815KB

MD5
6903d96766a1239f8da3afba3463e0b3

SHA1
6398271591a1e8a3f48fca2af52397001b50d7a3

SHA256
32b9eb1459190872fb576de711678ac18a96fd5ed386703ede79c9b0918b8fa9

SHA512
6fc62cf6ab2afde2c5fd1eea264a3810aebb1b0de1a783ee936c58e6b82d2aa76c93c60e4401cc051942d8153c65f79c21413ebdf4be588dc857d7060b41c81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4720.exe
Filesize
815KB

MD5
6903d96766a1239f8da3afba3463e0b3

SHA1
6398271591a1e8a3f48fca2af52397001b50d7a3

SHA256
32b9eb1459190872fb576de711678ac18a96fd5ed386703ede79c9b0918b8fa9

SHA512
6fc62cf6ab2afde2c5fd1eea264a3810aebb1b0de1a783ee936c58e6b82d2aa76c93c60e4401cc051942d8153c65f79c21413ebdf4be588dc857d7060b41c81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xtNCg88.exe
Filesize
175KB

MD5
4d92b8e0c6b89e70758283e187b82b2c

SHA1
b0885dd98402a805355e24cfdc27ea63203ac620

SHA256
3eca35bcc98bd96916e9bf42dff4cf737062588c88a6a136bbb31ea084306210

SHA512
8a869a8f7104b3dab3d3be5a709ad394fca9374cbba7cdc422c07ae857d27d44fc0a4a22102d833f82c16baefc85baae7b336041f792d9f1e85da6a3813d2c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xtNCg88.exe
Filesize
175KB

MD5
4d92b8e0c6b89e70758283e187b82b2c

SHA1
b0885dd98402a805355e24cfdc27ea63203ac620

SHA256
3eca35bcc98bd96916e9bf42dff4cf737062588c88a6a136bbb31ea084306210

SHA512
8a869a8f7104b3dab3d3be5a709ad394fca9374cbba7cdc422c07ae857d27d44fc0a4a22102d833f82c16baefc85baae7b336041f792d9f1e85da6a3813d2c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1823.exe
Filesize
673KB

MD5
e2d9ffad09dbbd1cb2cadf6fa75eaa0d

SHA1
e56c0211639b82ee29af3f39ef9d199129ab1cf5

SHA256
50a49bd28b20cdcccd2514d52e9ef9bcdc10ea23d3ff37e62890f11ba5228d93

SHA512
0cb8fadad6d29eb8df9add4023f143431981b1a227ce7ef7f6ad4c42c463aa9dca4cac933287d002f4a6f614c66c2b1c9fc5e4a0ce3b07fcf10664819b26b7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1823.exe
Filesize
673KB

MD5
e2d9ffad09dbbd1cb2cadf6fa75eaa0d

SHA1
e56c0211639b82ee29af3f39ef9d199129ab1cf5

SHA256
50a49bd28b20cdcccd2514d52e9ef9bcdc10ea23d3ff37e62890f11ba5228d93

SHA512
0cb8fadad6d29eb8df9add4023f143431981b1a227ce7ef7f6ad4c42c463aa9dca4cac933287d002f4a6f614c66c2b1c9fc5e4a0ce3b07fcf10664819b26b7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w30gg36.exe
Filesize
359KB

MD5
40484e48b3b4a59d4723b901bdef40c1

SHA1
4b5b6051c76c2bd470183f84161cddf77b2e45e1

SHA256
f0687d3a349f24cdc5cbbc8bd8ebd632677f262fb8720ff1c59b7e35dae65851

SHA512
fc377ffcf7464ad2bb83a3b41c76327aa2970a0afd798be6c708a313307de332522c04c9e882c58beb130e5d0f472247577ac2e44c00141276c8e13fcb246684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w30gg36.exe
Filesize
359KB

MD5
40484e48b3b4a59d4723b901bdef40c1

SHA1
4b5b6051c76c2bd470183f84161cddf77b2e45e1

SHA256
f0687d3a349f24cdc5cbbc8bd8ebd632677f262fb8720ff1c59b7e35dae65851

SHA512
fc377ffcf7464ad2bb83a3b41c76327aa2970a0afd798be6c708a313307de332522c04c9e882c58beb130e5d0f472247577ac2e44c00141276c8e13fcb246684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7110.exe
Filesize
333KB

MD5
462093b8c9c574b01b85e516f198a01c

SHA1
d1b6f9968272f0fdc75868a3143c7d222c6e84c2

SHA256
10b27ba28c84dc4160023470835fb40bb83f0430f2f2f8c9971500e3e9ad990e

SHA512
523b3c60eba5deabf591ca00108cbb16b1e28ff887945b11c9648740aa3da36848c6607962eb8316b81f5e8c39f64bb2d1de51d7f828290a524f6c9bc00054f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7110.exe
Filesize
333KB

MD5
462093b8c9c574b01b85e516f198a01c

SHA1
d1b6f9968272f0fdc75868a3143c7d222c6e84c2

SHA256
10b27ba28c84dc4160023470835fb40bb83f0430f2f2f8c9971500e3e9ad990e

SHA512
523b3c60eba5deabf591ca00108cbb16b1e28ff887945b11c9648740aa3da36848c6607962eb8316b81f5e8c39f64bb2d1de51d7f828290a524f6c9bc00054f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9197.exe
Filesize
11KB

MD5
10b1d836c2aff2f058636c0902c924aa

SHA1
cee6659e4f9f41f228f053905969e59a3db320cf

SHA256
7bfdb27dc61d2da28e22213b80d4697a2deaa7a85632ff335fa7657bcaa696ed

SHA512
513c9e1e513e72ce630d227d4425bb75fb63db77bc7f0b3e9db933d22aa12b257d060dba31900670f85339f855b34fe900e8a3f5055cc84d6e51322aa4423d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9197.exe
Filesize
11KB

MD5
10b1d836c2aff2f058636c0902c924aa

SHA1
cee6659e4f9f41f228f053905969e59a3db320cf

SHA256
7bfdb27dc61d2da28e22213b80d4697a2deaa7a85632ff335fa7657bcaa696ed

SHA512
513c9e1e513e72ce630d227d4425bb75fb63db77bc7f0b3e9db933d22aa12b257d060dba31900670f85339f855b34fe900e8a3f5055cc84d6e51322aa4423d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5658wz.exe
Filesize
301KB

MD5
b82ced2e0170678e1e828e8728e86770

SHA1
7ccd38960f2744ebb0f942c050bd83aa7213604c

SHA256
a3b9d6cc3cb4f2772e467ca61ebebcd5afec2ea015755ea1892f52254da28779

SHA512
a995ddfd30737e413c37f111f662dca5e762c9badfb30737403db9e9989806f6afb599e7986e7276d86d149636958bda5ef6317370656926b1708fd29711f659

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5658wz.exe
Filesize
301KB

MD5
b82ced2e0170678e1e828e8728e86770

SHA1
7ccd38960f2744ebb0f942c050bd83aa7213604c

SHA256
a3b9d6cc3cb4f2772e467ca61ebebcd5afec2ea015755ea1892f52254da28779

SHA512
a995ddfd30737e413c37f111f662dca5e762c9badfb30737403db9e9989806f6afb599e7986e7276d86d149636958bda5ef6317370656926b1708fd29711f659

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5140fb4ad835edc70b35fc2dff7795a5

SHA1
604e22ae9466e3248966bc075ca543726fe923cc

SHA256
e24f9837654ae1721e8804489a386530c5bdaef838465b6c5216ebc06a09a09f

SHA512
81cb04c6f2d95c4fc905ac311fc81dffd45d8fd381e9e15656ccb05c63df181d5f086e4e6f92a20e42dca8b9d4d1c7b9ae7f9003a086cc97a67c4875fc023512

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5140fb4ad835edc70b35fc2dff7795a5

SHA1
604e22ae9466e3248966bc075ca543726fe923cc

SHA256
e24f9837654ae1721e8804489a386530c5bdaef838465b6c5216ebc06a09a09f

SHA512
81cb04c6f2d95c4fc905ac311fc81dffd45d8fd381e9e15656ccb05c63df181d5f086e4e6f92a20e42dca8b9d4d1c7b9ae7f9003a086cc97a67c4875fc023512

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5140fb4ad835edc70b35fc2dff7795a5

SHA1
604e22ae9466e3248966bc075ca543726fe923cc

SHA256
e24f9837654ae1721e8804489a386530c5bdaef838465b6c5216ebc06a09a09f

SHA512
81cb04c6f2d95c4fc905ac311fc81dffd45d8fd381e9e15656ccb05c63df181d5f086e4e6f92a20e42dca8b9d4d1c7b9ae7f9003a086cc97a67c4875fc023512

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5140fb4ad835edc70b35fc2dff7795a5

SHA1
604e22ae9466e3248966bc075ca543726fe923cc

SHA256
e24f9837654ae1721e8804489a386530c5bdaef838465b6c5216ebc06a09a09f

SHA512
81cb04c6f2d95c4fc905ac311fc81dffd45d8fd381e9e15656ccb05c63df181d5f086e4e6f92a20e42dca8b9d4d1c7b9ae7f9003a086cc97a67c4875fc023512

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/548-1143-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/548-1142-0x0000000000F80000-0x0000000000FB2000-memory.dmp

Filesize
200KB

Download
memory/1652-183-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-189-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-191-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-193-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-195-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-197-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-198-0x0000000006130000-0x0000000006140000-memory.dmp

Filesize
64KB

Download
memory/1652-199-0x0000000006130000-0x0000000006140000-memory.dmp

Filesize
64KB

Download
memory/1652-200-0x0000000000400000-0x0000000001AE3000-memory.dmp

Filesize
22.9MB

Download
memory/1652-201-0x0000000006130000-0x0000000006140000-memory.dmp

Filesize
64KB

Download
memory/1652-203-0x0000000006130000-0x0000000006140000-memory.dmp

Filesize
64KB

Download
memory/1652-204-0x0000000006130000-0x0000000006140000-memory.dmp

Filesize
64KB

Download
memory/1652-205-0x0000000000400000-0x0000000001AE3000-memory.dmp

Filesize
22.9MB

Download
memory/1652-187-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-185-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-181-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-179-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-177-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-175-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-173-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-171-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-170-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1652-169-0x0000000006140000-0x00000000066E4000-memory.dmp

Filesize
5.6MB

Download
memory/1652-168-0x0000000006130000-0x0000000006140000-memory.dmp

Filesize
64KB

Download
memory/1652-167-0x0000000001C70000-0x0000000001C9D000-memory.dmp

Filesize
180KB

Download
memory/4764-217-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4764-231-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-233-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-237-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-235-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-239-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-241-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-243-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-245-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-247-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-1120-0x0000000006840000-0x0000000006E58000-memory.dmp

Filesize
6.1MB

Download
memory/4764-1121-0x0000000006EE0000-0x0000000006FEA000-memory.dmp

Filesize
1.0MB

Download
memory/4764-1122-0x0000000007020000-0x0000000007032000-memory.dmp

Filesize
72KB

Download
memory/4764-1123-0x0000000007040000-0x000000000707C000-memory.dmp

Filesize
240KB

Download
memory/4764-1124-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4764-1126-0x0000000007330000-0x00000000073C2000-memory.dmp

Filesize
584KB

Download
memory/4764-1127-0x00000000073D0000-0x0000000007436000-memory.dmp

Filesize
408KB

Download
memory/4764-1128-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4764-1129-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4764-1130-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4764-1131-0x0000000007AF0000-0x0000000007CB2000-memory.dmp

Filesize
1.8MB

Download
memory/4764-1132-0x0000000007CD0000-0x00000000081FC000-memory.dmp

Filesize
5.2MB

Download
memory/4764-1133-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4764-229-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-227-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-225-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-223-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-221-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-219-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-216-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-215-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4764-212-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-213-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4764-210-0x00000000060B0000-0x00000000060EF000-memory.dmp

Filesize
252KB

Download
memory/4764-211-0x0000000003770000-0x00000000037BB000-memory.dmp

Filesize
300KB

Download
memory/4764-1134-0x0000000008430000-0x00000000084A6000-memory.dmp

Filesize
472KB

Download
memory/4764-1135-0x00000000084C0000-0x0000000008510000-memory.dmp

Filesize
320KB

Download
memory/4948-161-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download