amadey | 9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa

Analysis

max time kernel
138s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exe
Size

990KB
MD5

64c0d37be9dcf93cf7294d7df5fcb4de
SHA1

a4a609b442d761d3dae3fd4020704ceda3133370
SHA256

9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa
SHA512

4911b3bb9bc584dd737e19c96f0fb30cbd09ec92a9669b593ae8de8c5ddad2c2cfb90c0984554367e11d2ae73f9aed966778035ae0621ab5ccd297ca0d0a9533
SSDEEP

24576:Iy9RjkdAtcP8E5pDxMCajk0IHZmpnz10WZRW:P3jkfEQHILNeWZ

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v8006HB.exetz3029.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v8006HB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz3029.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz3029.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v8006HB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v8006HB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v8006HB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v8006HB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz3029.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz3029.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz3029.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz3029.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v8006HB.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4780-214-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-212-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-216-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-218-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-220-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-228-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-234-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-232-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-242-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-240-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-238-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-251-0x0000000004960000-0x0000000004970000-memory.dmp	family_redline
behavioral1/memory/4780-236-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-230-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-226-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-224-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-222-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-210-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline
behavioral1/memory/4780-209-0x0000000004E60000-0x0000000004E9F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y08TG49.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	y08TG49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap3002.exezap3681.exezap9560.exetz3029.exev8006HB.exew12Ps09.exexwbYH28.exey08TG49.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
4012	zap3002.exe
3900	zap3681.exe
4456	zap9560.exe
116	tz3029.exe
4816	v8006HB.exe
4780	w12Ps09.exe
2020	xwbYH28.exe
4976	y08TG49.exe
2920	oneetx.exe
480	oneetx.exe
1572	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4524 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4524	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz3029.exev8006HB.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz3029.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v8006HB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v8006HB.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exezap3002.exezap3681.exezap9560.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap3002.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3681.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3681.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap9560.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4856 4816 WerFault.exe v8006HB.exe
4328 4780 WerFault.exe w12Ps09.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3388 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz3029.exev8006HB.exew12Ps09.exexwbYH28.exe

pid process

116 tz3029.exe
116 tz3029.exe
4816 v8006HB.exe
4816 v8006HB.exe
4780 w12Ps09.exe
4780 w12Ps09.exe
2020 xwbYH28.exe
2020 xwbYH28.exe

pid	pid_target	process	target process
4856	4816	WerFault.exe	v8006HB.exe
4328	4780	WerFault.exe	w12Ps09.exe

pid	process
3388	schtasks.exe

pid	process
116	tz3029.exe
116	tz3029.exe
4816	v8006HB.exe
4816	v8006HB.exe
4780	w12Ps09.exe
4780	w12Ps09.exe
2020	xwbYH28.exe
2020	xwbYH28.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz3029.exev8006HB.exew12Ps09.exexwbYH28.exe

description	pid	process
Token: SeDebugPrivilege	116	tz3029.exe
Token: SeDebugPrivilege	4816	v8006HB.exe
Token: SeDebugPrivilege	4780	w12Ps09.exe
Token: SeDebugPrivilege	2020	xwbYH28.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y08TG49.exe

pid process

4976 y08TG49.exe

pid	process
4976	y08TG49.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exezap3002.exezap3681.exezap9560.exey08TG49.exeoneetx.execmd.exe

description	pid	process	target process
PID 1140 wrote to memory of 4012	1140	9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exe	zap3002.exe
PID 1140 wrote to memory of 4012	1140	9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exe	zap3002.exe
PID 1140 wrote to memory of 4012	1140	9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exe	zap3002.exe
PID 4012 wrote to memory of 3900	4012	zap3002.exe	zap3681.exe
PID 4012 wrote to memory of 3900	4012	zap3002.exe	zap3681.exe
PID 4012 wrote to memory of 3900	4012	zap3002.exe	zap3681.exe
PID 3900 wrote to memory of 4456	3900	zap3681.exe	zap9560.exe
PID 3900 wrote to memory of 4456	3900	zap3681.exe	zap9560.exe
PID 3900 wrote to memory of 4456	3900	zap3681.exe	zap9560.exe
PID 4456 wrote to memory of 116	4456	zap9560.exe	tz3029.exe
PID 4456 wrote to memory of 116	4456	zap9560.exe	tz3029.exe
PID 4456 wrote to memory of 4816	4456	zap9560.exe	v8006HB.exe
PID 4456 wrote to memory of 4816	4456	zap9560.exe	v8006HB.exe
PID 4456 wrote to memory of 4816	4456	zap9560.exe	v8006HB.exe
PID 3900 wrote to memory of 4780	3900	zap3681.exe	w12Ps09.exe
PID 3900 wrote to memory of 4780	3900	zap3681.exe	w12Ps09.exe
PID 3900 wrote to memory of 4780	3900	zap3681.exe	w12Ps09.exe
PID 4012 wrote to memory of 2020	4012	zap3002.exe	xwbYH28.exe
PID 4012 wrote to memory of 2020	4012	zap3002.exe	xwbYH28.exe
PID 4012 wrote to memory of 2020	4012	zap3002.exe	xwbYH28.exe
PID 1140 wrote to memory of 4976	1140	9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exe	y08TG49.exe
PID 1140 wrote to memory of 4976	1140	9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exe	y08TG49.exe
PID 1140 wrote to memory of 4976	1140	9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exe	y08TG49.exe
PID 4976 wrote to memory of 2920	4976	y08TG49.exe	oneetx.exe
PID 4976 wrote to memory of 2920	4976	y08TG49.exe	oneetx.exe
PID 4976 wrote to memory of 2920	4976	y08TG49.exe	oneetx.exe
PID 2920 wrote to memory of 3388	2920	oneetx.exe	schtasks.exe
PID 2920 wrote to memory of 3388	2920	oneetx.exe	schtasks.exe
PID 2920 wrote to memory of 3388	2920	oneetx.exe	schtasks.exe
PID 2920 wrote to memory of 4792	2920	oneetx.exe	cmd.exe
PID 2920 wrote to memory of 4792	2920	oneetx.exe	cmd.exe
PID 2920 wrote to memory of 4792	2920	oneetx.exe	cmd.exe
PID 4792 wrote to memory of 1600	4792	cmd.exe	cmd.exe
PID 4792 wrote to memory of 1600	4792	cmd.exe	cmd.exe
PID 4792 wrote to memory of 1600	4792	cmd.exe	cmd.exe
PID 4792 wrote to memory of 3764	4792	cmd.exe	cacls.exe
PID 4792 wrote to memory of 3764	4792	cmd.exe	cacls.exe
PID 4792 wrote to memory of 3764	4792	cmd.exe	cacls.exe
PID 4792 wrote to memory of 5020	4792	cmd.exe	cacls.exe
PID 4792 wrote to memory of 5020	4792	cmd.exe	cacls.exe
PID 4792 wrote to memory of 5020	4792	cmd.exe	cacls.exe
PID 4792 wrote to memory of 2632	4792	cmd.exe	cmd.exe
PID 4792 wrote to memory of 2632	4792	cmd.exe	cmd.exe
PID 4792 wrote to memory of 2632	4792	cmd.exe	cmd.exe
PID 4792 wrote to memory of 2728	4792	cmd.exe	cacls.exe
PID 4792 wrote to memory of 2728	4792	cmd.exe	cacls.exe
PID 4792 wrote to memory of 2728	4792	cmd.exe	cacls.exe
PID 4792 wrote to memory of 4936	4792	cmd.exe	cacls.exe
PID 4792 wrote to memory of 4936	4792	cmd.exe	cacls.exe
PID 4792 wrote to memory of 4936	4792	cmd.exe	cacls.exe
PID 2920 wrote to memory of 4524	2920	oneetx.exe	rundll32.exe
PID 2920 wrote to memory of 4524	2920	oneetx.exe	rundll32.exe
PID 2920 wrote to memory of 4524	2920	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exe
"C:\Users\Admin\AppData\Local\Temp\9ba3f2155cafa26f8caa043491cf85c3a62a4d706f5edcff03a3383a4582c5aa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3002.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3002.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3681.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3681.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9560.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9560.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3029.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3029.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8006HB.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8006HB.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1084
6⤵
- Program crash
PID:4856

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w12Ps09.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w12Ps09.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1352
5⤵
- Program crash
PID:4328

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwbYH28.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwbYH28.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y08TG49.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y08TG49.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:3388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1600

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:3764

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2632

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:2728

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:4936

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4816 -ip 4816
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4780 -ip 4780
1⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:480

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y08TG49.exe
Filesize
236KB

MD5
e812115d2dd3ed62c8183829adcf1da7

SHA1
0aa1799f6ff85d869e2054c7140a044edb401db8

SHA256
abceaf5059722a8008cd338517cb0d79b94c9736205e1f9bae1e712fe0e5d100

SHA512
96db682ddc551101c260eaa243310fe838792956623c5d8e827fd1c042c21ced4ff4c3be6d04513bba9cfc553be227b1d987a119d8c5e694336149f81e627e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y08TG49.exe
Filesize
236KB

MD5
e812115d2dd3ed62c8183829adcf1da7

SHA1
0aa1799f6ff85d869e2054c7140a044edb401db8

SHA256
abceaf5059722a8008cd338517cb0d79b94c9736205e1f9bae1e712fe0e5d100

SHA512
96db682ddc551101c260eaa243310fe838792956623c5d8e827fd1c042c21ced4ff4c3be6d04513bba9cfc553be227b1d987a119d8c5e694336149f81e627e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3002.exe
Filesize
806KB

MD5
a8a9873c24e8036bc45fd7a6ca09721e

SHA1
25577e2eac18e494cb32765199a59d70d550bbdd

SHA256
f3ca9c6796978891809c5f779deb44346168ad444f70af7fcdc01492305661fc

SHA512
7235a5515baa094ff1778f39f4ff737d5ab711201ddb67efd6db44b1f816a31ca00405804ab7fbef61466566d4390be2dc8ae3437afbd55d159aaa9038db9293

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3002.exe
Filesize
806KB

MD5
a8a9873c24e8036bc45fd7a6ca09721e

SHA1
25577e2eac18e494cb32765199a59d70d550bbdd

SHA256
f3ca9c6796978891809c5f779deb44346168ad444f70af7fcdc01492305661fc

SHA512
7235a5515baa094ff1778f39f4ff737d5ab711201ddb67efd6db44b1f816a31ca00405804ab7fbef61466566d4390be2dc8ae3437afbd55d159aaa9038db9293

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwbYH28.exe
Filesize
175KB

MD5
99a9a7a11d4849f3eb470e26660b2e4e

SHA1
9b842ea334511aca2813b6a9b873045449fe4a57

SHA256
700709912fba1fb996be4638c13255a03a1b27dd1d3a8a76daa9a286fefbd0a5

SHA512
d640b55c33979d3806ec32ada35cee2e8257708d9ded9af2caf372cc4dde5f085c249330fe5781bbaf9e42d9388765ccd65f906f9acea25948ea0207ac80f6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwbYH28.exe
Filesize
175KB

MD5
99a9a7a11d4849f3eb470e26660b2e4e

SHA1
9b842ea334511aca2813b6a9b873045449fe4a57

SHA256
700709912fba1fb996be4638c13255a03a1b27dd1d3a8a76daa9a286fefbd0a5

SHA512
d640b55c33979d3806ec32ada35cee2e8257708d9ded9af2caf372cc4dde5f085c249330fe5781bbaf9e42d9388765ccd65f906f9acea25948ea0207ac80f6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3681.exe
Filesize
664KB

MD5
2fe680043ffaa896f76c8137b195b01a

SHA1
cf786ac057aa16b51daeac7a8be2b11f0618f033

SHA256
e18ae4a5ae3be8591e1e72aa69bfb63e03519ebeb065595b39b5524dd571753a

SHA512
008622da33f9b62063b268831b546954bb60bc8663617fd60e565585d86783429a8223b7a7cffbc11ad8778fbd250016fe6b251695bd5020a90a1c872f4a6fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3681.exe
Filesize
664KB

MD5
2fe680043ffaa896f76c8137b195b01a

SHA1
cf786ac057aa16b51daeac7a8be2b11f0618f033

SHA256
e18ae4a5ae3be8591e1e72aa69bfb63e03519ebeb065595b39b5524dd571753a

SHA512
008622da33f9b62063b268831b546954bb60bc8663617fd60e565585d86783429a8223b7a7cffbc11ad8778fbd250016fe6b251695bd5020a90a1c872f4a6fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w12Ps09.exe
Filesize
342KB

MD5
9fd99ae813805e5fbd7b9cffc28f12f8

SHA1
91abb1c5952a68c1f99d1a7927fce670db40b573

SHA256
e96ddd575c6d9bc463cc6a27fc0af8941a3c611ece118dc99049951ac47c8966

SHA512
e53908468866c28a296c42adac452046cedb322823c74c24afb9a7c4bf56c0149a37d6c1aaf4f8f08403a91e291e1aa767d99c21ca7a7aa96b94f3ad0fd80041

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w12Ps09.exe
Filesize
342KB

MD5
9fd99ae813805e5fbd7b9cffc28f12f8

SHA1
91abb1c5952a68c1f99d1a7927fce670db40b573

SHA256
e96ddd575c6d9bc463cc6a27fc0af8941a3c611ece118dc99049951ac47c8966

SHA512
e53908468866c28a296c42adac452046cedb322823c74c24afb9a7c4bf56c0149a37d6c1aaf4f8f08403a91e291e1aa767d99c21ca7a7aa96b94f3ad0fd80041

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9560.exe
Filesize
329KB

MD5
f579ea27d4b38e32974e0e73c1d482ec

SHA1
bb57b66ecc4a0d29771aa73bb75fed02d841f4b4

SHA256
5f3af858c9026f8669c0bd7a45940ffffd3a066cdc647538b3da4cce39fa191d

SHA512
46ea8e1c36dd419af73c919b42f42509cc24adbbb560d5d84759a57841b08d9b78d1d289dbe191176c5ef24353259d2406ffe8644dc938aba56655c383d78af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9560.exe
Filesize
329KB

MD5
f579ea27d4b38e32974e0e73c1d482ec

SHA1
bb57b66ecc4a0d29771aa73bb75fed02d841f4b4

SHA256
5f3af858c9026f8669c0bd7a45940ffffd3a066cdc647538b3da4cce39fa191d

SHA512
46ea8e1c36dd419af73c919b42f42509cc24adbbb560d5d84759a57841b08d9b78d1d289dbe191176c5ef24353259d2406ffe8644dc938aba56655c383d78af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3029.exe
Filesize
12KB

MD5
36ecb9e6bcaf6354f7818254bff94cfc

SHA1
2d2b432c5b604a66825601ccf18d666b78cecbdd

SHA256
4f89872fa5bc4b0ac1766ae426416515ca7646e923a9f945e0a2754da02a8942

SHA512
c39ec5e806b9b1de402a242b83786f10863c1f35517c9b0b13f9f6151849310c3d7abe454479247acabef60ce7e3ef26e6436d5d9966fcbf72bca8bdab326f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3029.exe
Filesize
12KB

MD5
36ecb9e6bcaf6354f7818254bff94cfc

SHA1
2d2b432c5b604a66825601ccf18d666b78cecbdd

SHA256
4f89872fa5bc4b0ac1766ae426416515ca7646e923a9f945e0a2754da02a8942

SHA512
c39ec5e806b9b1de402a242b83786f10863c1f35517c9b0b13f9f6151849310c3d7abe454479247acabef60ce7e3ef26e6436d5d9966fcbf72bca8bdab326f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8006HB.exe
Filesize
283KB

MD5
63b1c730b9c6e88734f74112db2d1fb2

SHA1
ad650e5303d3c560c26f2fa48906496456190c14

SHA256
a35c610b809e25d11f68193603a33ccbac60164aacdc0da67880cfd458dfd54e

SHA512
66bdc323612bab16146d395a83ec82f9881aca3bdb2288083295747794a1f4f1efc8d9fda6da44042e162687473976501ecf9f8abba2583b61b562b4e519df4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8006HB.exe
Filesize
283KB

MD5
63b1c730b9c6e88734f74112db2d1fb2

SHA1
ad650e5303d3c560c26f2fa48906496456190c14

SHA256
a35c610b809e25d11f68193603a33ccbac60164aacdc0da67880cfd458dfd54e

SHA512
66bdc323612bab16146d395a83ec82f9881aca3bdb2288083295747794a1f4f1efc8d9fda6da44042e162687473976501ecf9f8abba2583b61b562b4e519df4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e812115d2dd3ed62c8183829adcf1da7

SHA1
0aa1799f6ff85d869e2054c7140a044edb401db8

SHA256
abceaf5059722a8008cd338517cb0d79b94c9736205e1f9bae1e712fe0e5d100

SHA512
96db682ddc551101c260eaa243310fe838792956623c5d8e827fd1c042c21ced4ff4c3be6d04513bba9cfc553be227b1d987a119d8c5e694336149f81e627e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e812115d2dd3ed62c8183829adcf1da7

SHA1
0aa1799f6ff85d869e2054c7140a044edb401db8

SHA256
abceaf5059722a8008cd338517cb0d79b94c9736205e1f9bae1e712fe0e5d100

SHA512
96db682ddc551101c260eaa243310fe838792956623c5d8e827fd1c042c21ced4ff4c3be6d04513bba9cfc553be227b1d987a119d8c5e694336149f81e627e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e812115d2dd3ed62c8183829adcf1da7

SHA1
0aa1799f6ff85d869e2054c7140a044edb401db8

SHA256
abceaf5059722a8008cd338517cb0d79b94c9736205e1f9bae1e712fe0e5d100

SHA512
96db682ddc551101c260eaa243310fe838792956623c5d8e827fd1c042c21ced4ff4c3be6d04513bba9cfc553be227b1d987a119d8c5e694336149f81e627e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e812115d2dd3ed62c8183829adcf1da7

SHA1
0aa1799f6ff85d869e2054c7140a044edb401db8

SHA256
abceaf5059722a8008cd338517cb0d79b94c9736205e1f9bae1e712fe0e5d100

SHA512
96db682ddc551101c260eaa243310fe838792956623c5d8e827fd1c042c21ced4ff4c3be6d04513bba9cfc553be227b1d987a119d8c5e694336149f81e627e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
e812115d2dd3ed62c8183829adcf1da7

SHA1
0aa1799f6ff85d869e2054c7140a044edb401db8

SHA256
abceaf5059722a8008cd338517cb0d79b94c9736205e1f9bae1e712fe0e5d100

SHA512
96db682ddc551101c260eaa243310fe838792956623c5d8e827fd1c042c21ced4ff4c3be6d04513bba9cfc553be227b1d987a119d8c5e694336149f81e627e10

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/116-161-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

Filesize
40KB

Download
memory/2020-1139-0x0000000000990000-0x00000000009C2000-memory.dmp

Filesize
200KB

Download
memory/2020-1140-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4780-1127-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/4780-210-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-1133-0x0000000009540000-0x0000000009590000-memory.dmp

Filesize
320KB

Download
memory/4780-1132-0x00000000094B0000-0x0000000009526000-memory.dmp

Filesize
472KB

Download
memory/4780-1131-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/4780-1130-0x0000000008C10000-0x000000000913C000-memory.dmp

Filesize
5.2MB

Download
memory/4780-1129-0x0000000008A40000-0x0000000008C02000-memory.dmp

Filesize
1.8MB

Download
memory/4780-1128-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/4780-1126-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/4780-214-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-212-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-216-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-218-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-220-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-228-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-234-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-232-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-242-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-240-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-247-0x0000000002CF0000-0x0000000002D3B000-memory.dmp

Filesize
300KB

Download
memory/4780-238-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-249-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/4780-251-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/4780-252-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/4780-236-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-230-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-226-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-224-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-222-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-1125-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/4780-209-0x0000000004E60000-0x0000000004E9F000-memory.dmp

Filesize
252KB

Download
memory/4780-1119-0x00000000077D0000-0x0000000007DE8000-memory.dmp

Filesize
6.1MB

Download
memory/4780-1120-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/4780-1121-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4780-1122-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/4780-1123-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/4816-189-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-171-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-178-0x00000000047E0000-0x000000000480D000-memory.dmp

Filesize
180KB

Download
memory/4816-175-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-204-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/4816-203-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/4816-202-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/4816-200-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/4816-168-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-181-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-167-0x0000000007380000-0x0000000007924000-memory.dmp

Filesize
5.6MB

Download
memory/4816-177-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-193-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-191-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-173-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-195-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-197-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-199-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-182-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/4816-184-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/4816-180-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/4816-187-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-169-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4816-185-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download