amadey | d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf

Analysis

max time kernel
115s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exe
Size

1000KB
MD5

66a10742bdca298d6b7034a4fd82d16e
SHA1

19536029a982c617fa18a54303870de289d7ffb9
SHA256

d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf
SHA512

4b3630d2ce528bd48f1252a59457845400139079da887167789d0457cf7ab7be6e62f3ca8248a5140a24cf6edff53d768bc60a7fb2a3e444fe054006b04f5379
SSDEEP

24576:LyPIVloTiLfZ6XEPrPpD4tnfNKyq930kERkeDUZqh9:+AVlxLfZ6XEPrPl4tnrQENyeDUkh

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v7583pS.exetz7294.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v7583pS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v7583pS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v7583pS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v7583pS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v7583pS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v7583pS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7294.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/744-209-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-210-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-212-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-214-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-216-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-218-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-220-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-222-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-224-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-226-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-228-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-230-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-232-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-234-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-236-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-238-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-240-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline
behavioral1/memory/744-242-0x00000000066A0000-0x00000000066DF000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y19Cw64.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y19Cw64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

zap8439.exezap3887.exezap4510.exetz7294.exev7583pS.exew81Lu97.exexTQsL85.exey19Cw64.exeoneetx.exeoneetx.exe

pid	process
3980	zap8439.exe
1868	zap3887.exe
1008	zap4510.exe
2184	tz7294.exe
4820	v7583pS.exe
744	w81Lu97.exe
384	xTQsL85.exe
5036	y19Cw64.exe
4256	oneetx.exe
1900	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2056 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2056	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz7294.exev7583pS.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7294.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v7583pS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v7583pS.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8439.exezap3887.exezap4510.exed65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8439.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap8439.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3887.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3887.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap4510.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3420 4820 WerFault.exe v7583pS.exe
3960 744 WerFault.exe w81Lu97.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3612 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz7294.exev7583pS.exew81Lu97.exexTQsL85.exe

pid process

2184 tz7294.exe
2184 tz7294.exe
4820 v7583pS.exe
4820 v7583pS.exe
744 w81Lu97.exe
744 w81Lu97.exe
384 xTQsL85.exe
384 xTQsL85.exe

pid	pid_target	process	target process
3420	4820	WerFault.exe	v7583pS.exe
3960	744	WerFault.exe	w81Lu97.exe

pid	process
3612	schtasks.exe

pid	process
2184	tz7294.exe
2184	tz7294.exe
4820	v7583pS.exe
4820	v7583pS.exe
744	w81Lu97.exe
744	w81Lu97.exe
384	xTQsL85.exe
384	xTQsL85.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz7294.exev7583pS.exew81Lu97.exexTQsL85.exe

description	pid	process
Token: SeDebugPrivilege	2184	tz7294.exe
Token: SeDebugPrivilege	4820	v7583pS.exe
Token: SeDebugPrivilege	744	w81Lu97.exe
Token: SeDebugPrivilege	384	xTQsL85.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y19Cw64.exe

pid process

5036 y19Cw64.exe

pid	process
5036	y19Cw64.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exezap8439.exezap3887.exezap4510.exey19Cw64.exeoneetx.execmd.exe

description	pid	process	target process
PID 748 wrote to memory of 3980	748	d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exe	zap8439.exe
PID 748 wrote to memory of 3980	748	d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exe	zap8439.exe
PID 748 wrote to memory of 3980	748	d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exe	zap8439.exe
PID 3980 wrote to memory of 1868	3980	zap8439.exe	zap3887.exe
PID 3980 wrote to memory of 1868	3980	zap8439.exe	zap3887.exe
PID 3980 wrote to memory of 1868	3980	zap8439.exe	zap3887.exe
PID 1868 wrote to memory of 1008	1868	zap3887.exe	zap4510.exe
PID 1868 wrote to memory of 1008	1868	zap3887.exe	zap4510.exe
PID 1868 wrote to memory of 1008	1868	zap3887.exe	zap4510.exe
PID 1008 wrote to memory of 2184	1008	zap4510.exe	tz7294.exe
PID 1008 wrote to memory of 2184	1008	zap4510.exe	tz7294.exe
PID 1008 wrote to memory of 4820	1008	zap4510.exe	v7583pS.exe
PID 1008 wrote to memory of 4820	1008	zap4510.exe	v7583pS.exe
PID 1008 wrote to memory of 4820	1008	zap4510.exe	v7583pS.exe
PID 1868 wrote to memory of 744	1868	zap3887.exe	w81Lu97.exe
PID 1868 wrote to memory of 744	1868	zap3887.exe	w81Lu97.exe
PID 1868 wrote to memory of 744	1868	zap3887.exe	w81Lu97.exe
PID 3980 wrote to memory of 384	3980	zap8439.exe	xTQsL85.exe
PID 3980 wrote to memory of 384	3980	zap8439.exe	xTQsL85.exe
PID 3980 wrote to memory of 384	3980	zap8439.exe	xTQsL85.exe
PID 748 wrote to memory of 5036	748	d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exe	y19Cw64.exe
PID 748 wrote to memory of 5036	748	d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exe	y19Cw64.exe
PID 748 wrote to memory of 5036	748	d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exe	y19Cw64.exe
PID 5036 wrote to memory of 4256	5036	y19Cw64.exe	oneetx.exe
PID 5036 wrote to memory of 4256	5036	y19Cw64.exe	oneetx.exe
PID 5036 wrote to memory of 4256	5036	y19Cw64.exe	oneetx.exe
PID 4256 wrote to memory of 3612	4256	oneetx.exe	schtasks.exe
PID 4256 wrote to memory of 3612	4256	oneetx.exe	schtasks.exe
PID 4256 wrote to memory of 3612	4256	oneetx.exe	schtasks.exe
PID 4256 wrote to memory of 4504	4256	oneetx.exe	cmd.exe
PID 4256 wrote to memory of 4504	4256	oneetx.exe	cmd.exe
PID 4256 wrote to memory of 4504	4256	oneetx.exe	cmd.exe
PID 4504 wrote to memory of 2676	4504	cmd.exe	cmd.exe
PID 4504 wrote to memory of 2676	4504	cmd.exe	cmd.exe
PID 4504 wrote to memory of 2676	4504	cmd.exe	cmd.exe
PID 4504 wrote to memory of 2996	4504	cmd.exe	cacls.exe
PID 4504 wrote to memory of 2996	4504	cmd.exe	cacls.exe
PID 4504 wrote to memory of 2996	4504	cmd.exe	cacls.exe
PID 4504 wrote to memory of 2820	4504	cmd.exe	cacls.exe
PID 4504 wrote to memory of 2820	4504	cmd.exe	cacls.exe
PID 4504 wrote to memory of 2820	4504	cmd.exe	cacls.exe
PID 4504 wrote to memory of 1692	4504	cmd.exe	cmd.exe
PID 4504 wrote to memory of 1692	4504	cmd.exe	cmd.exe
PID 4504 wrote to memory of 1692	4504	cmd.exe	cmd.exe
PID 4504 wrote to memory of 2348	4504	cmd.exe	cacls.exe
PID 4504 wrote to memory of 2348	4504	cmd.exe	cacls.exe
PID 4504 wrote to memory of 2348	4504	cmd.exe	cacls.exe
PID 4504 wrote to memory of 1460	4504	cmd.exe	cacls.exe
PID 4504 wrote to memory of 1460	4504	cmd.exe	cacls.exe
PID 4504 wrote to memory of 1460	4504	cmd.exe	cacls.exe
PID 4256 wrote to memory of 2056	4256	oneetx.exe	rundll32.exe
PID 4256 wrote to memory of 2056	4256	oneetx.exe	rundll32.exe
PID 4256 wrote to memory of 2056	4256	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exe
"C:\Users\Admin\AppData\Local\Temp\d65c322d911cada1eb64e255ea9be428ff3cb9b67f8701d616cf8eb98cc61abf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8439.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8439.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3887.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3887.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4510.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4510.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7294.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7294.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7583pS.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7583pS.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1080
6⤵
- Program crash
PID:3420

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w81Lu97.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w81Lu97.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1348
5⤵
- Program crash
PID:3960

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xTQsL85.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xTQsL85.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y19Cw64.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y19Cw64.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5036

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:3612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2676

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:2996

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1692

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:2348

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:1460

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4820 -ip 4820
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 744 -ip 744
1⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y19Cw64.exe
Filesize
236KB

MD5
e2c1e7be1d5a0cfb273ac0c19e22dac8

SHA1
97e493c25563ec621723ed488c955492d60c8634

SHA256
0418ffabc133c8469c9268b3953dc02f462300ba1db1af1711f658432ab883ca

SHA512
bdb1ff9ce52d5e0d622d35b22150d0781dd4180c5d2601d2752a56353824bc603944f35fd822096d7f71662c8392fea7e652bad19d32e791d9bee4844815caf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y19Cw64.exe
Filesize
236KB

MD5
e2c1e7be1d5a0cfb273ac0c19e22dac8

SHA1
97e493c25563ec621723ed488c955492d60c8634

SHA256
0418ffabc133c8469c9268b3953dc02f462300ba1db1af1711f658432ab883ca

SHA512
bdb1ff9ce52d5e0d622d35b22150d0781dd4180c5d2601d2752a56353824bc603944f35fd822096d7f71662c8392fea7e652bad19d32e791d9bee4844815caf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8439.exe
Filesize
816KB

MD5
daaa713461fce82569b1fb16fb18dbd0

SHA1
b45e09e46e3130afa60ea617b12bbfecccfdb24e

SHA256
a3ebfea68b0c47d87ce5e4d2c831344583cc14583505300c610dbf00b1131d03

SHA512
c989256690a7ff9824905c824572467dd6f99c719593ff917acb95164b78e2d27c6808914238973fad08578798f2a2eba88e5994a8ac0b9eb54b72f6ce4c7add

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8439.exe
Filesize
816KB

MD5
daaa713461fce82569b1fb16fb18dbd0

SHA1
b45e09e46e3130afa60ea617b12bbfecccfdb24e

SHA256
a3ebfea68b0c47d87ce5e4d2c831344583cc14583505300c610dbf00b1131d03

SHA512
c989256690a7ff9824905c824572467dd6f99c719593ff917acb95164b78e2d27c6808914238973fad08578798f2a2eba88e5994a8ac0b9eb54b72f6ce4c7add

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xTQsL85.exe
Filesize
175KB

MD5
91179aa03548bd517661604b5fe4dd7f

SHA1
c8aa887af0dc0861e029f231d9cad879864a948b

SHA256
49f0ea8ad60e7567a4d52a1f91d39bc1c0de6f6b57941d1367cf1220c1c89f2e

SHA512
d31eb409fc782fc3fd052bad5df8c08324c1eed6cbb0ace5745f7bf219988bf34222ac8c26378a1fadde81573a12f6654089c8b5183724f2030203def4c737b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xTQsL85.exe
Filesize
175KB

MD5
91179aa03548bd517661604b5fe4dd7f

SHA1
c8aa887af0dc0861e029f231d9cad879864a948b

SHA256
49f0ea8ad60e7567a4d52a1f91d39bc1c0de6f6b57941d1367cf1220c1c89f2e

SHA512
d31eb409fc782fc3fd052bad5df8c08324c1eed6cbb0ace5745f7bf219988bf34222ac8c26378a1fadde81573a12f6654089c8b5183724f2030203def4c737b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3887.exe
Filesize
673KB

MD5
d9e1189e7eade443565bf96f56362ae8

SHA1
56c171ddc57d4b9bdb7b04e537a45da6c6a3d5d9

SHA256
2fbd4da82b89ae541033ecb9115e59b30acc0278f7f00972b3954aa3dc72ec8b

SHA512
cbe5c62fdb0a547a533ff3dc28281d6bad8c66317e17cc09cacebc3e1126e45ec3b674af0c89fbe05f265d562f962fb4a638889f239166e8008f0a2823edb048

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3887.exe
Filesize
673KB

MD5
d9e1189e7eade443565bf96f56362ae8

SHA1
56c171ddc57d4b9bdb7b04e537a45da6c6a3d5d9

SHA256
2fbd4da82b89ae541033ecb9115e59b30acc0278f7f00972b3954aa3dc72ec8b

SHA512
cbe5c62fdb0a547a533ff3dc28281d6bad8c66317e17cc09cacebc3e1126e45ec3b674af0c89fbe05f265d562f962fb4a638889f239166e8008f0a2823edb048

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w81Lu97.exe
Filesize
359KB

MD5
267c28708216cfc2d2c1d53a240fb2b7

SHA1
1bc1a3a95f5e40f0631c2f34aaaf96d98831e685

SHA256
939c8848221fc85fd535f33ccbaa06434944ccb5deb52d1c7546d6463b1d234c

SHA512
fff18300abdcea27a761da5452f1516111a03314ac90bcd55a97a838120572f27f97a123d4349e035bf281fa26792c4b3f9038d79469d41b811a832cc94427bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w81Lu97.exe
Filesize
359KB

MD5
267c28708216cfc2d2c1d53a240fb2b7

SHA1
1bc1a3a95f5e40f0631c2f34aaaf96d98831e685

SHA256
939c8848221fc85fd535f33ccbaa06434944ccb5deb52d1c7546d6463b1d234c

SHA512
fff18300abdcea27a761da5452f1516111a03314ac90bcd55a97a838120572f27f97a123d4349e035bf281fa26792c4b3f9038d79469d41b811a832cc94427bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4510.exe
Filesize
333KB

MD5
2a88295d4923017fb26a64d0d35d2f61

SHA1
48801e6b815efbb208aa5cb171ca4eba6429085e

SHA256
ff846f1ba0d3acd0821d069d9f8d95234e2e0f1ef04b8dcde2c69d9e8e1cfff4

SHA512
ac421e79c82fb383605ca98109b21c5ca3d657f870b37c38ac5df144c942459515091900a887f73a120e5e8d929c0f34c25300691ec1963bb8746fa880408268

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4510.exe
Filesize
333KB

MD5
2a88295d4923017fb26a64d0d35d2f61

SHA1
48801e6b815efbb208aa5cb171ca4eba6429085e

SHA256
ff846f1ba0d3acd0821d069d9f8d95234e2e0f1ef04b8dcde2c69d9e8e1cfff4

SHA512
ac421e79c82fb383605ca98109b21c5ca3d657f870b37c38ac5df144c942459515091900a887f73a120e5e8d929c0f34c25300691ec1963bb8746fa880408268

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7294.exe
Filesize
11KB

MD5
91b17820e7f3dce8a2189fbc55f1addc

SHA1
666ff4b4cc583600e7682ef5fb05e1c3cc0acc3e

SHA256
f8aa3d34fad4bf03d2eec6ed0b354cff52c08668c4fe6b89189357475fd0f734

SHA512
1153b563cb7f5b78df61cbeaa7eeca72f4ea7d3ad88f645ad5bfa5e2f4a13817a32d681275b8d17e4512da9a43c92257590249acf3809a447eb679884236eb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7294.exe
Filesize
11KB

MD5
91b17820e7f3dce8a2189fbc55f1addc

SHA1
666ff4b4cc583600e7682ef5fb05e1c3cc0acc3e

SHA256
f8aa3d34fad4bf03d2eec6ed0b354cff52c08668c4fe6b89189357475fd0f734

SHA512
1153b563cb7f5b78df61cbeaa7eeca72f4ea7d3ad88f645ad5bfa5e2f4a13817a32d681275b8d17e4512da9a43c92257590249acf3809a447eb679884236eb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7583pS.exe
Filesize
301KB

MD5
f23c32a5167d1387b25795e6dab5a733

SHA1
47e84020e05b151173e503f2d7b64c66db02950a

SHA256
d865dc34577a9f0e202ba06ab3d045996871b717fe871a12364d71bb9c5ec8dd

SHA512
971242fe3b529c637161d26bd5513ebb4f2eb3dd78df6049a7874f037c978e3135004fee4b23782af6456b1c3a625953d28f47292ab62f3972fadea0be7abf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7583pS.exe
Filesize
301KB

MD5
f23c32a5167d1387b25795e6dab5a733

SHA1
47e84020e05b151173e503f2d7b64c66db02950a

SHA256
d865dc34577a9f0e202ba06ab3d045996871b717fe871a12364d71bb9c5ec8dd

SHA512
971242fe3b529c637161d26bd5513ebb4f2eb3dd78df6049a7874f037c978e3135004fee4b23782af6456b1c3a625953d28f47292ab62f3972fadea0be7abf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e2c1e7be1d5a0cfb273ac0c19e22dac8

SHA1
97e493c25563ec621723ed488c955492d60c8634

SHA256
0418ffabc133c8469c9268b3953dc02f462300ba1db1af1711f658432ab883ca

SHA512
bdb1ff9ce52d5e0d622d35b22150d0781dd4180c5d2601d2752a56353824bc603944f35fd822096d7f71662c8392fea7e652bad19d32e791d9bee4844815caf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e2c1e7be1d5a0cfb273ac0c19e22dac8

SHA1
97e493c25563ec621723ed488c955492d60c8634

SHA256
0418ffabc133c8469c9268b3953dc02f462300ba1db1af1711f658432ab883ca

SHA512
bdb1ff9ce52d5e0d622d35b22150d0781dd4180c5d2601d2752a56353824bc603944f35fd822096d7f71662c8392fea7e652bad19d32e791d9bee4844815caf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e2c1e7be1d5a0cfb273ac0c19e22dac8

SHA1
97e493c25563ec621723ed488c955492d60c8634

SHA256
0418ffabc133c8469c9268b3953dc02f462300ba1db1af1711f658432ab883ca

SHA512
bdb1ff9ce52d5e0d622d35b22150d0781dd4180c5d2601d2752a56353824bc603944f35fd822096d7f71662c8392fea7e652bad19d32e791d9bee4844815caf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e2c1e7be1d5a0cfb273ac0c19e22dac8

SHA1
97e493c25563ec621723ed488c955492d60c8634

SHA256
0418ffabc133c8469c9268b3953dc02f462300ba1db1af1711f658432ab883ca

SHA512
bdb1ff9ce52d5e0d622d35b22150d0781dd4180c5d2601d2752a56353824bc603944f35fd822096d7f71662c8392fea7e652bad19d32e791d9bee4844815caf8

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/384-1140-0x0000000000710000-0x0000000000742000-memory.dmp

Filesize
200KB

Download
memory/384-1141-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/384-1142-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/744-1127-0x0000000007AF0000-0x0000000007CB2000-memory.dmp

Filesize
1.8MB

Download
memory/744-492-0x00000000060A0000-0x00000000060B0000-memory.dmp

Filesize
64KB

Download
memory/744-1134-0x0000000009700000-0x0000000009750000-memory.dmp

Filesize
320KB

Download
memory/744-1133-0x00000000039E0000-0x0000000003A56000-memory.dmp

Filesize
472KB

Download
memory/744-1132-0x00000000060A0000-0x00000000060B0000-memory.dmp

Filesize
64KB

Download
memory/744-1131-0x00000000060A0000-0x00000000060B0000-memory.dmp

Filesize
64KB

Download
memory/744-1130-0x00000000060A0000-0x00000000060B0000-memory.dmp

Filesize
64KB

Download
memory/744-1129-0x00000000060A0000-0x00000000060B0000-memory.dmp

Filesize
64KB

Download
memory/744-1128-0x0000000007CD0000-0x00000000081FC000-memory.dmp

Filesize
5.2MB

Download
memory/744-1125-0x00000000073D0000-0x0000000007436000-memory.dmp

Filesize
408KB

Download
memory/744-209-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-210-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-212-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-214-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-216-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-218-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-220-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-222-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-224-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-226-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-228-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-230-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-232-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-234-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-236-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-238-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-240-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-242-0x00000000066A0000-0x00000000066DF000-memory.dmp

Filesize
252KB

Download
memory/744-486-0x0000000001EB0000-0x0000000001EFB000-memory.dmp

Filesize
300KB

Download
memory/744-487-0x00000000060A0000-0x00000000060B0000-memory.dmp

Filesize
64KB

Download
memory/744-490-0x00000000060A0000-0x00000000060B0000-memory.dmp

Filesize
64KB

Download
memory/744-1124-0x0000000007330000-0x00000000073C2000-memory.dmp

Filesize
584KB

Download
memory/744-1119-0x0000000006840000-0x0000000006E58000-memory.dmp

Filesize
6.1MB

Download
memory/744-1120-0x0000000006EE0000-0x0000000006FEA000-memory.dmp

Filesize
1.0MB

Download
memory/744-1121-0x0000000007020000-0x0000000007032000-memory.dmp

Filesize
72KB

Download
memory/744-1122-0x0000000007040000-0x000000000707C000-memory.dmp

Filesize
240KB

Download
memory/744-1123-0x00000000060A0000-0x00000000060B0000-memory.dmp

Filesize
64KB

Download
memory/2184-161-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/4820-184-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-169-0x0000000006090000-0x00000000060A0000-memory.dmp

Filesize
64KB

Download
memory/4820-194-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-204-0x0000000000400000-0x0000000001AE3000-memory.dmp

Filesize
22.9MB

Download
memory/4820-202-0x0000000006090000-0x00000000060A0000-memory.dmp

Filesize
64KB

Download
memory/4820-201-0x0000000006090000-0x00000000060A0000-memory.dmp

Filesize
64KB

Download
memory/4820-200-0x0000000006090000-0x00000000060A0000-memory.dmp

Filesize
64KB

Download
memory/4820-199-0x0000000000400000-0x0000000001AE3000-memory.dmp

Filesize
22.9MB

Download
memory/4820-198-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-188-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-192-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-190-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-180-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-178-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-182-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-176-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-174-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-172-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-171-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-170-0x0000000006090000-0x00000000060A0000-memory.dmp

Filesize
64KB

Download
memory/4820-168-0x00000000060A0000-0x0000000006644000-memory.dmp

Filesize
5.6MB

Download
memory/4820-196-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4820-167-0x0000000001BA0000-0x0000000001BCD000-memory.dmp

Filesize
180KB

Download
memory/4820-186-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download