amadey | 147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1

Analysis

max time kernel
107s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exe
Size

992KB
MD5

ed23b6aae844b098da94d47af46a5b78
SHA1

05c5a08409f0b16d7cfa6283acabfb8d0b905273
SHA256

147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1
SHA512

8760cee3c70161fd9567cfad16ebd2e373f1ccc3d1a6029c10a97040e677e19f18fd56adae0599847bfb9cd1a97868e7aa77e0f1cd1434a2007887555813cdd6
SSDEEP

24576:Uy5xiiuJR83kbrRnC48MCToj7OQRd/Orm/4G7kn5XGXl:j5xGJVr1C4HAo3OYd/7Ay

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz7069.exev8500ps.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7069.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7069.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v8500ps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v8500ps.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7069.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7069.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7069.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v8500ps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v8500ps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7069.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v8500ps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v8500ps.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2524-210-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-214-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-217-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-221-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-211-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-223-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-225-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-227-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-229-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-231-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-233-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-235-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-237-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-239-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-241-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-243-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-245-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-247-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2524-1131-0x0000000004BC0000-0x0000000004BD0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y43zU79.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y43zU79.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

zap9212.exezap2597.exezap8554.exetz7069.exev8500ps.exew39gI54.exexILlM05.exey43zU79.exeoneetx.exeoneetx.exe

pid	process
1604	zap9212.exe
1764	zap2597.exe
2936	zap8554.exe
3244	tz7069.exe
1892	v8500ps.exe
2524	w39gI54.exe
4024	xILlM05.exe
4852	y43zU79.exe
4240	oneetx.exe
4384	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2520 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2520	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz7069.exev8500ps.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7069.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v8500ps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v8500ps.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8554.exe147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exezap9212.exezap2597.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8554.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9212.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2597.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap2597.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8554.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4164 1892 WerFault.exe v8500ps.exe
2144 2524 WerFault.exe w39gI54.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2036 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz7069.exev8500ps.exew39gI54.exexILlM05.exe

pid process

3244 tz7069.exe
3244 tz7069.exe
1892 v8500ps.exe
1892 v8500ps.exe
2524 w39gI54.exe
2524 w39gI54.exe
4024 xILlM05.exe
4024 xILlM05.exe

pid	pid_target	process	target process
4164	1892	WerFault.exe	v8500ps.exe
2144	2524	WerFault.exe	w39gI54.exe

pid	process
2036	schtasks.exe

pid	process
3244	tz7069.exe
3244	tz7069.exe
1892	v8500ps.exe
1892	v8500ps.exe
2524	w39gI54.exe
2524	w39gI54.exe
4024	xILlM05.exe
4024	xILlM05.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz7069.exev8500ps.exew39gI54.exexILlM05.exe

description	pid	process
Token: SeDebugPrivilege	3244	tz7069.exe
Token: SeDebugPrivilege	1892	v8500ps.exe
Token: SeDebugPrivilege	2524	w39gI54.exe
Token: SeDebugPrivilege	4024	xILlM05.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y43zU79.exe

pid process

4852 y43zU79.exe

pid	process
4852	y43zU79.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exezap9212.exezap2597.exezap8554.exey43zU79.exeoneetx.execmd.exe

description	pid	process	target process
PID 3756 wrote to memory of 1604	3756	147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exe	zap9212.exe
PID 3756 wrote to memory of 1604	3756	147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exe	zap9212.exe
PID 3756 wrote to memory of 1604	3756	147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exe	zap9212.exe
PID 1604 wrote to memory of 1764	1604	zap9212.exe	zap2597.exe
PID 1604 wrote to memory of 1764	1604	zap9212.exe	zap2597.exe
PID 1604 wrote to memory of 1764	1604	zap9212.exe	zap2597.exe
PID 1764 wrote to memory of 2936	1764	zap2597.exe	zap8554.exe
PID 1764 wrote to memory of 2936	1764	zap2597.exe	zap8554.exe
PID 1764 wrote to memory of 2936	1764	zap2597.exe	zap8554.exe
PID 2936 wrote to memory of 3244	2936	zap8554.exe	tz7069.exe
PID 2936 wrote to memory of 3244	2936	zap8554.exe	tz7069.exe
PID 2936 wrote to memory of 1892	2936	zap8554.exe	v8500ps.exe
PID 2936 wrote to memory of 1892	2936	zap8554.exe	v8500ps.exe
PID 2936 wrote to memory of 1892	2936	zap8554.exe	v8500ps.exe
PID 1764 wrote to memory of 2524	1764	zap2597.exe	w39gI54.exe
PID 1764 wrote to memory of 2524	1764	zap2597.exe	w39gI54.exe
PID 1764 wrote to memory of 2524	1764	zap2597.exe	w39gI54.exe
PID 1604 wrote to memory of 4024	1604	zap9212.exe	xILlM05.exe
PID 1604 wrote to memory of 4024	1604	zap9212.exe	xILlM05.exe
PID 1604 wrote to memory of 4024	1604	zap9212.exe	xILlM05.exe
PID 3756 wrote to memory of 4852	3756	147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exe	y43zU79.exe
PID 3756 wrote to memory of 4852	3756	147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exe	y43zU79.exe
PID 3756 wrote to memory of 4852	3756	147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exe	y43zU79.exe
PID 4852 wrote to memory of 4240	4852	y43zU79.exe	oneetx.exe
PID 4852 wrote to memory of 4240	4852	y43zU79.exe	oneetx.exe
PID 4852 wrote to memory of 4240	4852	y43zU79.exe	oneetx.exe
PID 4240 wrote to memory of 2036	4240	oneetx.exe	schtasks.exe
PID 4240 wrote to memory of 2036	4240	oneetx.exe	schtasks.exe
PID 4240 wrote to memory of 2036	4240	oneetx.exe	schtasks.exe
PID 4240 wrote to memory of 456	4240	oneetx.exe	cmd.exe
PID 4240 wrote to memory of 456	4240	oneetx.exe	cmd.exe
PID 4240 wrote to memory of 456	4240	oneetx.exe	cmd.exe
PID 456 wrote to memory of 836	456	cmd.exe	cmd.exe
PID 456 wrote to memory of 836	456	cmd.exe	cmd.exe
PID 456 wrote to memory of 836	456	cmd.exe	cmd.exe
PID 456 wrote to memory of 768	456	cmd.exe	cacls.exe
PID 456 wrote to memory of 768	456	cmd.exe	cacls.exe
PID 456 wrote to memory of 768	456	cmd.exe	cacls.exe
PID 456 wrote to memory of 312	456	cmd.exe	cacls.exe
PID 456 wrote to memory of 312	456	cmd.exe	cacls.exe
PID 456 wrote to memory of 312	456	cmd.exe	cacls.exe
PID 456 wrote to memory of 3764	456	cmd.exe	cmd.exe
PID 456 wrote to memory of 3764	456	cmd.exe	cmd.exe
PID 456 wrote to memory of 3764	456	cmd.exe	cmd.exe
PID 456 wrote to memory of 4600	456	cmd.exe	cacls.exe
PID 456 wrote to memory of 4600	456	cmd.exe	cacls.exe
PID 456 wrote to memory of 4600	456	cmd.exe	cacls.exe
PID 456 wrote to memory of 4292	456	cmd.exe	cacls.exe
PID 456 wrote to memory of 4292	456	cmd.exe	cacls.exe
PID 456 wrote to memory of 4292	456	cmd.exe	cacls.exe
PID 4240 wrote to memory of 2520	4240	oneetx.exe	rundll32.exe
PID 4240 wrote to memory of 2520	4240	oneetx.exe	rundll32.exe
PID 4240 wrote to memory of 2520	4240	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exe
"C:\Users\Admin\AppData\Local\Temp\147a1924d02283f1edae5f6376da1d07dafe43b131644f9e3d4f92c8e7b50ae1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9212.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9212.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2597.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2597.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8554.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8554.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2936

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7069.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7069.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8500ps.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8500ps.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1100
6⤵
- Program crash
PID:4164

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w39gI54.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w39gI54.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1656
5⤵
- Program crash
PID:2144

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xILlM05.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xILlM05.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y43zU79.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y43zU79.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4852

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:836

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:768

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3764

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:4600

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:4292

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1892 -ip 1892
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2524 -ip 2524
1⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:4384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y43zU79.exe
Filesize
236KB

MD5
5f84204ca6392348bb5bedcbd05efdd3

SHA1
e12f69f24006f77b51ac0818d395179ca7c9f874

SHA256
cfd493e98ca5e820dfff0760e52259e4264b0088e19c96005439bf55f41c0c44

SHA512
8852f07e01caed991a5458f6020a7ca6acede5dbc2145d9ddfa3bfe0f5cb01da15a020f4cb0b533236b3b95ed95212b1fdfd1f33566b09f96de4c86473d9a50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y43zU79.exe
Filesize
236KB

MD5
5f84204ca6392348bb5bedcbd05efdd3

SHA1
e12f69f24006f77b51ac0818d395179ca7c9f874

SHA256
cfd493e98ca5e820dfff0760e52259e4264b0088e19c96005439bf55f41c0c44

SHA512
8852f07e01caed991a5458f6020a7ca6acede5dbc2145d9ddfa3bfe0f5cb01da15a020f4cb0b533236b3b95ed95212b1fdfd1f33566b09f96de4c86473d9a50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9212.exe
Filesize
808KB

MD5
587d116b09c8612e7746b72ca35ba17b

SHA1
8da52714ec03a5b4651c2e87aba89c0d853d83b5

SHA256
5b0dab94268c99d38ebfbdde056d0512978049dbb78a6126a3cb21e9a0ee4517

SHA512
1f527496f26bb8229588fae40c35f9e02577ec498fe1d2dd7b13c13af8655cfde7922d8e54e3804877639bd9b50e4648f22c940332adf0cc543030ade9f8181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9212.exe
Filesize
808KB

MD5
587d116b09c8612e7746b72ca35ba17b

SHA1
8da52714ec03a5b4651c2e87aba89c0d853d83b5

SHA256
5b0dab94268c99d38ebfbdde056d0512978049dbb78a6126a3cb21e9a0ee4517

SHA512
1f527496f26bb8229588fae40c35f9e02577ec498fe1d2dd7b13c13af8655cfde7922d8e54e3804877639bd9b50e4648f22c940332adf0cc543030ade9f8181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xILlM05.exe
Filesize
175KB

MD5
8f6970e63ddf26be16b39fc72850e5b3

SHA1
fae4af458121252aa40b5d6d425403ff606fca94

SHA256
3a945e48d2705607ca35db9a89c89845b046e701e756f6dd92171a41d0ceaf72

SHA512
3c5c5ba9ec1b622dd4e6359ad72ad6177e75cf83fe095984608e2329f0d210b126d19f77befcc3394c6919b7245d36fdf1bd382203b3993530df5d56f0765d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xILlM05.exe
Filesize
175KB

MD5
8f6970e63ddf26be16b39fc72850e5b3

SHA1
fae4af458121252aa40b5d6d425403ff606fca94

SHA256
3a945e48d2705607ca35db9a89c89845b046e701e756f6dd92171a41d0ceaf72

SHA512
3c5c5ba9ec1b622dd4e6359ad72ad6177e75cf83fe095984608e2329f0d210b126d19f77befcc3394c6919b7245d36fdf1bd382203b3993530df5d56f0765d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2597.exe
Filesize
666KB

MD5
713fdcc2db9f64f2d19395e870fbb9c1

SHA1
289f975c6c1571b5d8ebdbb7028a2e0bcb4dc6c3

SHA256
fe557ec11d360262bae18cbb410d8d8de7e3d2fbba87458b653816e3272206da

SHA512
c37ef3b1c19e3ab16a269e711cfd4b55181220a8a2147234623400682fa835ae004602fd1849aef766f579d1ebc4bd00ae0146dc7d253fd045bc480c297af6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2597.exe
Filesize
666KB

MD5
713fdcc2db9f64f2d19395e870fbb9c1

SHA1
289f975c6c1571b5d8ebdbb7028a2e0bcb4dc6c3

SHA256
fe557ec11d360262bae18cbb410d8d8de7e3d2fbba87458b653816e3272206da

SHA512
c37ef3b1c19e3ab16a269e711cfd4b55181220a8a2147234623400682fa835ae004602fd1849aef766f579d1ebc4bd00ae0146dc7d253fd045bc480c297af6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w39gI54.exe
Filesize
342KB

MD5
86109b52cb4c7f3010b93f054fc1043d

SHA1
3f213ff1434077f6b8688d27ce160bcbaeed32d1

SHA256
1c03b09c2f44c3ecaf5f4a70569c29fbda1a7aaec0ac746d2a876e4c3e6416dd

SHA512
82983e09454d44ec0abcd2fd3ee6a5e2f692505217653cf2686abf912077663df3baa2b9a9e47e4197e7bb8af0685e8d2e49936a210d0c3f882826d2800a4d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w39gI54.exe
Filesize
342KB

MD5
86109b52cb4c7f3010b93f054fc1043d

SHA1
3f213ff1434077f6b8688d27ce160bcbaeed32d1

SHA256
1c03b09c2f44c3ecaf5f4a70569c29fbda1a7aaec0ac746d2a876e4c3e6416dd

SHA512
82983e09454d44ec0abcd2fd3ee6a5e2f692505217653cf2686abf912077663df3baa2b9a9e47e4197e7bb8af0685e8d2e49936a210d0c3f882826d2800a4d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8554.exe
Filesize
329KB

MD5
73a65383194fe67f295fa2056dc08650

SHA1
0fb130964a3971ec747494893d2c31f69da11696

SHA256
ec6504226a3869391e83afde6096f4dfb0a502c446a0fdb71598d82205196aeb

SHA512
ac4532dc7ee9b0a9c067b43221b4862cf0f2ac1d2e02c2f3b59271c94b0a4d6a95989852753a92eabed768b6df0ee66d3c8dff1c4bde0bdbad91c74ba2e347d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8554.exe
Filesize
329KB

MD5
73a65383194fe67f295fa2056dc08650

SHA1
0fb130964a3971ec747494893d2c31f69da11696

SHA256
ec6504226a3869391e83afde6096f4dfb0a502c446a0fdb71598d82205196aeb

SHA512
ac4532dc7ee9b0a9c067b43221b4862cf0f2ac1d2e02c2f3b59271c94b0a4d6a95989852753a92eabed768b6df0ee66d3c8dff1c4bde0bdbad91c74ba2e347d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7069.exe
Filesize
12KB

MD5
8d96a3a25a93bf7c3cb64233e78d3e3e

SHA1
adbbbbfea625b264040bb80ec162911b78df538e

SHA256
3338547cde7a5c2eb5db9d7fc3f5af7e10af87f5f1a3622dcd6d85f5d311bba2

SHA512
1019d8ff51a87848c56c70e568187dd7ae0b8a3b0123d588ba3770de726e9a10a4b4c5914aa54f84a4a3ecdc1bf6c959df32b2b2a2fb79d7edd4c737f0ef1bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7069.exe
Filesize
12KB

MD5
8d96a3a25a93bf7c3cb64233e78d3e3e

SHA1
adbbbbfea625b264040bb80ec162911b78df538e

SHA256
3338547cde7a5c2eb5db9d7fc3f5af7e10af87f5f1a3622dcd6d85f5d311bba2

SHA512
1019d8ff51a87848c56c70e568187dd7ae0b8a3b0123d588ba3770de726e9a10a4b4c5914aa54f84a4a3ecdc1bf6c959df32b2b2a2fb79d7edd4c737f0ef1bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8500ps.exe
Filesize
284KB

MD5
1b625004717882933417c26d93f444c7

SHA1
87c11cdc2bd96b15a5a4c1ad55171b50780a819e

SHA256
3f1947d8fcf590aeeea987aa2e9d771c44425327fe53e6ffa2888eb031a362b7

SHA512
41653b633f13c9ac8c48215a181f9fb444b2b651e3a3caa14c1da17174f864488a31933613ac18a05b3449e23251eaf9a7d1125a05defc6ee447071c184dfd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8500ps.exe
Filesize
284KB

MD5
1b625004717882933417c26d93f444c7

SHA1
87c11cdc2bd96b15a5a4c1ad55171b50780a819e

SHA256
3f1947d8fcf590aeeea987aa2e9d771c44425327fe53e6ffa2888eb031a362b7

SHA512
41653b633f13c9ac8c48215a181f9fb444b2b651e3a3caa14c1da17174f864488a31933613ac18a05b3449e23251eaf9a7d1125a05defc6ee447071c184dfd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5f84204ca6392348bb5bedcbd05efdd3

SHA1
e12f69f24006f77b51ac0818d395179ca7c9f874

SHA256
cfd493e98ca5e820dfff0760e52259e4264b0088e19c96005439bf55f41c0c44

SHA512
8852f07e01caed991a5458f6020a7ca6acede5dbc2145d9ddfa3bfe0f5cb01da15a020f4cb0b533236b3b95ed95212b1fdfd1f33566b09f96de4c86473d9a50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5f84204ca6392348bb5bedcbd05efdd3

SHA1
e12f69f24006f77b51ac0818d395179ca7c9f874

SHA256
cfd493e98ca5e820dfff0760e52259e4264b0088e19c96005439bf55f41c0c44

SHA512
8852f07e01caed991a5458f6020a7ca6acede5dbc2145d9ddfa3bfe0f5cb01da15a020f4cb0b533236b3b95ed95212b1fdfd1f33566b09f96de4c86473d9a50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5f84204ca6392348bb5bedcbd05efdd3

SHA1
e12f69f24006f77b51ac0818d395179ca7c9f874

SHA256
cfd493e98ca5e820dfff0760e52259e4264b0088e19c96005439bf55f41c0c44

SHA512
8852f07e01caed991a5458f6020a7ca6acede5dbc2145d9ddfa3bfe0f5cb01da15a020f4cb0b533236b3b95ed95212b1fdfd1f33566b09f96de4c86473d9a50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
5f84204ca6392348bb5bedcbd05efdd3

SHA1
e12f69f24006f77b51ac0818d395179ca7c9f874

SHA256
cfd493e98ca5e820dfff0760e52259e4264b0088e19c96005439bf55f41c0c44

SHA512
8852f07e01caed991a5458f6020a7ca6acede5dbc2145d9ddfa3bfe0f5cb01da15a020f4cb0b533236b3b95ed95212b1fdfd1f33566b09f96de4c86473d9a50e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1892-181-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-203-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/1892-185-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-187-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-189-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-191-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-193-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-195-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-197-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-199-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-200-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/1892-201-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/1892-202-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/1892-183-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-205-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/1892-179-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-177-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-175-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-171-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/1892-173-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-172-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1892-170-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/1892-169-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/1892-168-0x00000000071A0000-0x0000000007744000-memory.dmp

Filesize
5.6MB

Download
memory/1892-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/2524-218-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2524-1128-0x0000000008B60000-0x0000000008BD6000-memory.dmp

Filesize
472KB

Download
memory/2524-229-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-231-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-233-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-235-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-237-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-239-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-241-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-243-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-245-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-247-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-1120-0x0000000007900000-0x0000000007F18000-memory.dmp

Filesize
6.1MB

Download
memory/2524-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/2524-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/2524-1123-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2524-1124-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/2524-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/2524-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/2524-227-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-1129-0x0000000008BF0000-0x0000000008C40000-memory.dmp

Filesize
320KB

Download
memory/2524-1130-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2524-1131-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2524-1132-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2524-1133-0x0000000008D60000-0x0000000008F22000-memory.dmp

Filesize
1.8MB

Download
memory/2524-1134-0x0000000008F40000-0x000000000946C000-memory.dmp

Filesize
5.2MB

Download
memory/2524-1135-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2524-210-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-213-0x0000000002CE0000-0x0000000002D2B000-memory.dmp

Filesize
300KB

Download
memory/2524-214-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-225-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-223-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-211-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-220-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2524-221-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-217-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2524-215-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/3244-161-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/4024-1142-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4024-1141-0x0000000000590000-0x00000000005C2000-memory.dmp

Filesize
200KB

Download