amadey | 7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c

Analysis

max time kernel
111s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exe
Size

992KB
MD5

986dd5fea5263bd52595f68e7d05856a
SHA1

eebd76d8300d4e37c85fda5db4fd76b6280ca7b0
SHA256

7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c
SHA512

dfdbf7bfab96231b1a81af8334afbdc8f0a66ead30be37ce9b66859884b5c08e1b9507ac888b1da66717dcc0102e5659755ca6854665ba9eead3036f08115443
SSDEEP

24576:7yrle1fsfrEReCarIiYCqU7pSVmjNqJrhhavrHg1LNAz:urCf2riQIiYpUE0jarnavrHghNA

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v7095bK.exetz2327.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v7095bK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v7095bK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2327.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v7095bK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v7095bK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v7095bK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v7095bK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2327.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1512-209-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-212-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-210-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-215-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-218-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-220-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-222-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-224-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-226-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-228-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-230-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-232-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-234-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-236-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-238-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-240-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-242-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline
behavioral1/memory/1512-244-0x0000000007720000-0x000000000775F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oneetx.exey92qr06.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	y92qr06.exe

Executes dropped EXE 10 IoCs

Processes:

zap2589.exezap1068.exezap4501.exetz2327.exev7095bK.exew90eP12.exexwVHG36.exey92qr06.exeoneetx.exeoneetx.exe

pid	process
4912	zap2589.exe
4732	zap1068.exe
4748	zap4501.exe
3424	tz2327.exe
444	v7095bK.exe
1512	w90eP12.exe
4492	xwVHG36.exe
2804	y92qr06.exe
3356	oneetx.exe
2372	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

220 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
220	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz2327.exev7095bK.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2327.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v7095bK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v7095bK.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap4501.exe7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exezap2589.exezap1068.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4501.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap4501.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2589.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2589.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1068.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1068.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

448 444 WerFault.exe v7095bK.exe
5088 1512 WerFault.exe w90eP12.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4216 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz2327.exev7095bK.exew90eP12.exexwVHG36.exe

pid process

3424 tz2327.exe
3424 tz2327.exe
444 v7095bK.exe
444 v7095bK.exe
1512 w90eP12.exe
1512 w90eP12.exe
4492 xwVHG36.exe
4492 xwVHG36.exe

pid	pid_target	process	target process
448	444	WerFault.exe	v7095bK.exe
5088	1512	WerFault.exe	w90eP12.exe

pid	process
4216	schtasks.exe

pid	process
3424	tz2327.exe
3424	tz2327.exe
444	v7095bK.exe
444	v7095bK.exe
1512	w90eP12.exe
1512	w90eP12.exe
4492	xwVHG36.exe
4492	xwVHG36.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz2327.exev7095bK.exew90eP12.exexwVHG36.exe

description	pid	process
Token: SeDebugPrivilege	3424	tz2327.exe
Token: SeDebugPrivilege	444	v7095bK.exe
Token: SeDebugPrivilege	1512	w90eP12.exe
Token: SeDebugPrivilege	4492	xwVHG36.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y92qr06.exe

pid process

2804 y92qr06.exe

pid	process
2804	y92qr06.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exezap2589.exezap1068.exezap4501.exey92qr06.exeoneetx.execmd.exe

description	pid	process	target process
PID 4964 wrote to memory of 4912	4964	7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exe	zap2589.exe
PID 4964 wrote to memory of 4912	4964	7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exe	zap2589.exe
PID 4964 wrote to memory of 4912	4964	7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exe	zap2589.exe
PID 4912 wrote to memory of 4732	4912	zap2589.exe	zap1068.exe
PID 4912 wrote to memory of 4732	4912	zap2589.exe	zap1068.exe
PID 4912 wrote to memory of 4732	4912	zap2589.exe	zap1068.exe
PID 4732 wrote to memory of 4748	4732	zap1068.exe	zap4501.exe
PID 4732 wrote to memory of 4748	4732	zap1068.exe	zap4501.exe
PID 4732 wrote to memory of 4748	4732	zap1068.exe	zap4501.exe
PID 4748 wrote to memory of 3424	4748	zap4501.exe	tz2327.exe
PID 4748 wrote to memory of 3424	4748	zap4501.exe	tz2327.exe
PID 4748 wrote to memory of 444	4748	zap4501.exe	v7095bK.exe
PID 4748 wrote to memory of 444	4748	zap4501.exe	v7095bK.exe
PID 4748 wrote to memory of 444	4748	zap4501.exe	v7095bK.exe
PID 4732 wrote to memory of 1512	4732	zap1068.exe	w90eP12.exe
PID 4732 wrote to memory of 1512	4732	zap1068.exe	w90eP12.exe
PID 4732 wrote to memory of 1512	4732	zap1068.exe	w90eP12.exe
PID 4912 wrote to memory of 4492	4912	zap2589.exe	xwVHG36.exe
PID 4912 wrote to memory of 4492	4912	zap2589.exe	xwVHG36.exe
PID 4912 wrote to memory of 4492	4912	zap2589.exe	xwVHG36.exe
PID 4964 wrote to memory of 2804	4964	7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exe	y92qr06.exe
PID 4964 wrote to memory of 2804	4964	7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exe	y92qr06.exe
PID 4964 wrote to memory of 2804	4964	7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exe	y92qr06.exe
PID 2804 wrote to memory of 3356	2804	y92qr06.exe	oneetx.exe
PID 2804 wrote to memory of 3356	2804	y92qr06.exe	oneetx.exe
PID 2804 wrote to memory of 3356	2804	y92qr06.exe	oneetx.exe
PID 3356 wrote to memory of 4216	3356	oneetx.exe	schtasks.exe
PID 3356 wrote to memory of 4216	3356	oneetx.exe	schtasks.exe
PID 3356 wrote to memory of 4216	3356	oneetx.exe	schtasks.exe
PID 3356 wrote to memory of 1360	3356	oneetx.exe	cmd.exe
PID 3356 wrote to memory of 1360	3356	oneetx.exe	cmd.exe
PID 3356 wrote to memory of 1360	3356	oneetx.exe	cmd.exe
PID 1360 wrote to memory of 1340	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 1340	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 1340	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 4488	1360	cmd.exe	cacls.exe
PID 1360 wrote to memory of 4488	1360	cmd.exe	cacls.exe
PID 1360 wrote to memory of 4488	1360	cmd.exe	cacls.exe
PID 1360 wrote to memory of 4148	1360	cmd.exe	cacls.exe
PID 1360 wrote to memory of 4148	1360	cmd.exe	cacls.exe
PID 1360 wrote to memory of 4148	1360	cmd.exe	cacls.exe
PID 1360 wrote to memory of 1780	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 1780	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 1780	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 636	1360	cmd.exe	cacls.exe
PID 1360 wrote to memory of 636	1360	cmd.exe	cacls.exe
PID 1360 wrote to memory of 636	1360	cmd.exe	cacls.exe
PID 1360 wrote to memory of 3768	1360	cmd.exe	cacls.exe
PID 1360 wrote to memory of 3768	1360	cmd.exe	cacls.exe
PID 1360 wrote to memory of 3768	1360	cmd.exe	cacls.exe
PID 3356 wrote to memory of 220	3356	oneetx.exe	rundll32.exe
PID 3356 wrote to memory of 220	3356	oneetx.exe	rundll32.exe
PID 3356 wrote to memory of 220	3356	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exe
"C:\Users\Admin\AppData\Local\Temp\7eb6e8a0716234b43ae70ffec6b131f52e836f3899db417c2346524930291d7c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2589.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2589.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4912

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1068.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1068.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4501.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4501.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2327.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2327.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7095bK.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7095bK.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1080
6⤵
- Program crash
PID:448

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w90eP12.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w90eP12.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1896
5⤵
- Program crash
PID:5088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwVHG36.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwVHG36.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y92qr06.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y92qr06.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:4216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1340

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:4488

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1780

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:636

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:3768

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 444 -ip 444
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1512 -ip 1512
1⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y92qr06.exe
Filesize
236KB

MD5
22e32721bd096fd1a068535c4d9c9429

SHA1
1a77b7350e9f1b2eab1f5fc4e2ccda5a1dfd31fb

SHA256
00758c2f95c4d480041f8339eb627f60c6e8de8331a33673225dd7bbe0e33c5b

SHA512
b85ef499416231f6fd5a3574dfc38c8e33e7c671a2aea1efc6bbffd765dbea75b3caa8a846da7fa00916a3e4be49d54332e48cb840047d4a8a44cc319bafe1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y92qr06.exe
Filesize
236KB

MD5
22e32721bd096fd1a068535c4d9c9429

SHA1
1a77b7350e9f1b2eab1f5fc4e2ccda5a1dfd31fb

SHA256
00758c2f95c4d480041f8339eb627f60c6e8de8331a33673225dd7bbe0e33c5b

SHA512
b85ef499416231f6fd5a3574dfc38c8e33e7c671a2aea1efc6bbffd765dbea75b3caa8a846da7fa00916a3e4be49d54332e48cb840047d4a8a44cc319bafe1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2589.exe
Filesize
808KB

MD5
00a3548b5f74729b7701535e26099543

SHA1
71aa0f9b3d3c1912e3704e0dd0917ae92a82f4f2

SHA256
908d9e26a007b9d00336487f5938b15a745987ba0ecf7a240fd87709045cbc12

SHA512
ccf9e29bb4d7146c4cf5fbdd68cccddbbfffdbc4f93327293647d9e7324d1ede150753d9fa64d70542873ed961ef232f87a8bc042e420aae55874f603175611b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2589.exe
Filesize
808KB

MD5
00a3548b5f74729b7701535e26099543

SHA1
71aa0f9b3d3c1912e3704e0dd0917ae92a82f4f2

SHA256
908d9e26a007b9d00336487f5938b15a745987ba0ecf7a240fd87709045cbc12

SHA512
ccf9e29bb4d7146c4cf5fbdd68cccddbbfffdbc4f93327293647d9e7324d1ede150753d9fa64d70542873ed961ef232f87a8bc042e420aae55874f603175611b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwVHG36.exe
Filesize
175KB

MD5
7dfd70dcb62333e8d313441eb93318fc

SHA1
cb8b2b0045c10c458a6474f0e7deed5bc2919283

SHA256
0f629558db97550e63ca7a35f906641fa1965525277bd3b3368c5335b495df8b

SHA512
4273e9d7f9e70d6bab56bc8b973368de5f68479c12788597bf2a880ce56ad5491feab2303fd6384a69e935d2b53c616e53e012f6588537bc09fe0b737b69d599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwVHG36.exe
Filesize
175KB

MD5
7dfd70dcb62333e8d313441eb93318fc

SHA1
cb8b2b0045c10c458a6474f0e7deed5bc2919283

SHA256
0f629558db97550e63ca7a35f906641fa1965525277bd3b3368c5335b495df8b

SHA512
4273e9d7f9e70d6bab56bc8b973368de5f68479c12788597bf2a880ce56ad5491feab2303fd6384a69e935d2b53c616e53e012f6588537bc09fe0b737b69d599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1068.exe
Filesize
665KB

MD5
5d40c5bb341aa30e08a8eef62557e96b

SHA1
7c4dfe718fb01211459cc83baf8168413aa44533

SHA256
eb3d3b8f40edf46e17f6b62ab2598166ff8d6aebea22bf42df52b119b4fe13a8

SHA512
9ee9863702eacb202f7dd3ad75c49c16223a51deae9828c699f128161c9d6eb8866f484caf694d32565df26cf064477f0c2aa4a9337149cf2b622c9ee69b65b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1068.exe
Filesize
665KB

MD5
5d40c5bb341aa30e08a8eef62557e96b

SHA1
7c4dfe718fb01211459cc83baf8168413aa44533

SHA256
eb3d3b8f40edf46e17f6b62ab2598166ff8d6aebea22bf42df52b119b4fe13a8

SHA512
9ee9863702eacb202f7dd3ad75c49c16223a51deae9828c699f128161c9d6eb8866f484caf694d32565df26cf064477f0c2aa4a9337149cf2b622c9ee69b65b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w90eP12.exe
Filesize
342KB

MD5
4e69fdadb1aecd67cc144eaa06596094

SHA1
478874aa9baaa60bf6cad026934530d8aef0f42a

SHA256
41ca70f987ed3fcc374a84c53a4a2c8895be1bf9f2cf992a6360b9c6a71d1c81

SHA512
7ebd902ae9c205564ab2f71eb46451780b85b17c3c50cddfefaad680a2ff415a9a42fad030d79e89f7eb8d3c4c3bb38119f779147767591e910c15c3fff57825

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w90eP12.exe
Filesize
342KB

MD5
4e69fdadb1aecd67cc144eaa06596094

SHA1
478874aa9baaa60bf6cad026934530d8aef0f42a

SHA256
41ca70f987ed3fcc374a84c53a4a2c8895be1bf9f2cf992a6360b9c6a71d1c81

SHA512
7ebd902ae9c205564ab2f71eb46451780b85b17c3c50cddfefaad680a2ff415a9a42fad030d79e89f7eb8d3c4c3bb38119f779147767591e910c15c3fff57825

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4501.exe
Filesize
329KB

MD5
aa05146a1800253dfc84309424a3fe95

SHA1
31e185466c5ba8bd7f7b5cd9c12bb2ee836a0864

SHA256
0299014a27a43da2c9cc8ce69fd328fd92c111cf642a1c08a30faa15b5a6f6c4

SHA512
940098b61b7807dec2cc5936f8b4a3218713f80ee38c7014f9f4022338c9180af3747fc52f18f723747862c885adaaae176d45efeaf65b8454bf1fb1a8fb1348

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4501.exe
Filesize
329KB

MD5
aa05146a1800253dfc84309424a3fe95

SHA1
31e185466c5ba8bd7f7b5cd9c12bb2ee836a0864

SHA256
0299014a27a43da2c9cc8ce69fd328fd92c111cf642a1c08a30faa15b5a6f6c4

SHA512
940098b61b7807dec2cc5936f8b4a3218713f80ee38c7014f9f4022338c9180af3747fc52f18f723747862c885adaaae176d45efeaf65b8454bf1fb1a8fb1348

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2327.exe
Filesize
12KB

MD5
4efa98b86a490e7a7ca03d84f05cc782

SHA1
770acf9e1f8ea0e1bbb5b928f63372fe34dca76a

SHA256
b51258250cc54e3fccfd45dc971d4449588ac7ebd412937745ad699c3d2ab552

SHA512
10146688a2037c8b91b8a523353cc3a8106b187664dc7ebb379c6ff3c66df4ab4a7eadf7d7518bc1aa76395e5346d5d88db5332e064896548c81eef57036f7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2327.exe
Filesize
12KB

MD5
4efa98b86a490e7a7ca03d84f05cc782

SHA1
770acf9e1f8ea0e1bbb5b928f63372fe34dca76a

SHA256
b51258250cc54e3fccfd45dc971d4449588ac7ebd412937745ad699c3d2ab552

SHA512
10146688a2037c8b91b8a523353cc3a8106b187664dc7ebb379c6ff3c66df4ab4a7eadf7d7518bc1aa76395e5346d5d88db5332e064896548c81eef57036f7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7095bK.exe
Filesize
284KB

MD5
9b64077dd61b79b49c17aed855539a8d

SHA1
dcbefa21ed2e3ce769e1e509a55b1af4c5025c19

SHA256
1ef569473b4ad905b02dca9605e3dc402cd97d063aa73e5dbc4da8fd515faf01

SHA512
a360aa4cdfc37c20accbc6082cd8310821c76b12f13dfa729975234d0c7cc4f45c9b7e19f7249e094fc62b440b24a8df44ded1b357b550f181736d3aba8f2647

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7095bK.exe
Filesize
284KB

MD5
9b64077dd61b79b49c17aed855539a8d

SHA1
dcbefa21ed2e3ce769e1e509a55b1af4c5025c19

SHA256
1ef569473b4ad905b02dca9605e3dc402cd97d063aa73e5dbc4da8fd515faf01

SHA512
a360aa4cdfc37c20accbc6082cd8310821c76b12f13dfa729975234d0c7cc4f45c9b7e19f7249e094fc62b440b24a8df44ded1b357b550f181736d3aba8f2647

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
22e32721bd096fd1a068535c4d9c9429

SHA1
1a77b7350e9f1b2eab1f5fc4e2ccda5a1dfd31fb

SHA256
00758c2f95c4d480041f8339eb627f60c6e8de8331a33673225dd7bbe0e33c5b

SHA512
b85ef499416231f6fd5a3574dfc38c8e33e7c671a2aea1efc6bbffd765dbea75b3caa8a846da7fa00916a3e4be49d54332e48cb840047d4a8a44cc319bafe1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
22e32721bd096fd1a068535c4d9c9429

SHA1
1a77b7350e9f1b2eab1f5fc4e2ccda5a1dfd31fb

SHA256
00758c2f95c4d480041f8339eb627f60c6e8de8331a33673225dd7bbe0e33c5b

SHA512
b85ef499416231f6fd5a3574dfc38c8e33e7c671a2aea1efc6bbffd765dbea75b3caa8a846da7fa00916a3e4be49d54332e48cb840047d4a8a44cc319bafe1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
22e32721bd096fd1a068535c4d9c9429

SHA1
1a77b7350e9f1b2eab1f5fc4e2ccda5a1dfd31fb

SHA256
00758c2f95c4d480041f8339eb627f60c6e8de8331a33673225dd7bbe0e33c5b

SHA512
b85ef499416231f6fd5a3574dfc38c8e33e7c671a2aea1efc6bbffd765dbea75b3caa8a846da7fa00916a3e4be49d54332e48cb840047d4a8a44cc319bafe1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
22e32721bd096fd1a068535c4d9c9429

SHA1
1a77b7350e9f1b2eab1f5fc4e2ccda5a1dfd31fb

SHA256
00758c2f95c4d480041f8339eb627f60c6e8de8331a33673225dd7bbe0e33c5b

SHA512
b85ef499416231f6fd5a3574dfc38c8e33e7c671a2aea1efc6bbffd765dbea75b3caa8a846da7fa00916a3e4be49d54332e48cb840047d4a8a44cc319bafe1bc

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/444-181-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-183-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-185-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-187-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-189-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-191-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-193-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-195-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-197-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-199-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-200-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/444-201-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/444-202-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/444-204-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/444-179-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-177-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-175-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-173-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-172-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/444-171-0x00000000073B0000-0x0000000007954000-memory.dmp

Filesize
5.6MB

Download
memory/444-170-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/444-169-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/444-168-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/444-167-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

Filesize
180KB

Download
memory/1512-215-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-1125-0x0000000008B90000-0x0000000008D52000-memory.dmp

Filesize
1.8MB

Download
memory/1512-230-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-232-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-234-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-236-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-238-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-240-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-242-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-244-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-1117-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/1512-1118-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/1512-1119-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/1512-1120-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/1512-1121-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/1512-1123-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/1512-1124-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/1512-228-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-1126-0x0000000008D60000-0x000000000928C000-memory.dmp

Filesize
5.2MB

Download
memory/1512-1127-0x00000000093C0000-0x0000000009436000-memory.dmp

Filesize
472KB

Download
memory/1512-1128-0x0000000009440000-0x0000000009490000-memory.dmp

Filesize
320KB

Download
memory/1512-1129-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/1512-209-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-212-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-210-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-214-0x0000000002CE0000-0x0000000002D2B000-memory.dmp

Filesize
300KB

Download
memory/1512-226-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-224-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-222-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-220-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-218-0x0000000007720000-0x000000000775F000-memory.dmp

Filesize
252KB

Download
memory/1512-216-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/3424-161-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/4492-1137-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4492-1136-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4492-1135-0x00000000004C0000-0x00000000004F2000-memory.dmp

Filesize
200KB

Download