amadey | bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exe
Size

991KB
MD5

2479417690b386c2938197e5d7ed79d8
SHA1

d1596e79406d9b79a21a401ff091cc649e621333
SHA256

bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7
SHA512

d62eba068895afdc7a4db9ed028667ac111ca426ecc53ea17b1a426f2b5872c4a30bd7156c7c26a5d9296cc432eeb0a317dc41eb0049db4fcbdc5bc8a4662f46
SSDEEP

12288:oMr/y905cUiTyi+JPES9dyUBgq8omMJ7GbCwlSyH2jq2IMIr0knPuqZb8xoXF:nyKqyvK0yUBIomMJ7GbCPyHZEmfnJz

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz2609.exev4656bd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4656bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4656bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4656bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4656bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v4656bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4656bd.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2092-211-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-213-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-216-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-218-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-220-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-222-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-224-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-226-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-228-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-230-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-232-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-234-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-236-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-238-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-240-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-242-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-244-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-246-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/2092-1128-0x00000000072A0000-0x00000000072B0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y86RW23.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y86RW23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap9165.exezap7364.exezap9053.exetz2609.exev4656bd.exew07jX10.exexntuz45.exey86RW23.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
1036	zap9165.exe
1752	zap7364.exe
1668	zap9053.exe
1108	tz2609.exe
3832	v4656bd.exe
2092	w07jX10.exe
2812	xntuz45.exe
2884	y86RW23.exe
4908	oneetx.exe
1168	oneetx.exe
2644	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1188 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1188	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v4656bd.exetz2609.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v4656bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4656bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2609.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap9165.exezap7364.exezap9053.exebdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9165.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9165.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7364.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7364.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap9053.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3360 3832 WerFault.exe v4656bd.exe
4496 2092 WerFault.exe w07jX10.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3912 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz2609.exev4656bd.exew07jX10.exexntuz45.exe

pid process

1108 tz2609.exe
1108 tz2609.exe
3832 v4656bd.exe
3832 v4656bd.exe
2092 w07jX10.exe
2092 w07jX10.exe
2812 xntuz45.exe
2812 xntuz45.exe

pid	pid_target	process	target process
3360	3832	WerFault.exe	v4656bd.exe
4496	2092	WerFault.exe	w07jX10.exe

pid	process
3912	schtasks.exe

pid	process
1108	tz2609.exe
1108	tz2609.exe
3832	v4656bd.exe
3832	v4656bd.exe
2092	w07jX10.exe
2092	w07jX10.exe
2812	xntuz45.exe
2812	xntuz45.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz2609.exev4656bd.exew07jX10.exexntuz45.exe

description	pid	process
Token: SeDebugPrivilege	1108	tz2609.exe
Token: SeDebugPrivilege	3832	v4656bd.exe
Token: SeDebugPrivilege	2092	w07jX10.exe
Token: SeDebugPrivilege	2812	xntuz45.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y86RW23.exe

pid process

2884 y86RW23.exe

pid	process
2884	y86RW23.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exezap9165.exezap7364.exezap9053.exey86RW23.exeoneetx.execmd.exe

description	pid	process	target process
PID 2208 wrote to memory of 1036	2208	bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exe	zap9165.exe
PID 2208 wrote to memory of 1036	2208	bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exe	zap9165.exe
PID 2208 wrote to memory of 1036	2208	bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exe	zap9165.exe
PID 1036 wrote to memory of 1752	1036	zap9165.exe	zap7364.exe
PID 1036 wrote to memory of 1752	1036	zap9165.exe	zap7364.exe
PID 1036 wrote to memory of 1752	1036	zap9165.exe	zap7364.exe
PID 1752 wrote to memory of 1668	1752	zap7364.exe	zap9053.exe
PID 1752 wrote to memory of 1668	1752	zap7364.exe	zap9053.exe
PID 1752 wrote to memory of 1668	1752	zap7364.exe	zap9053.exe
PID 1668 wrote to memory of 1108	1668	zap9053.exe	tz2609.exe
PID 1668 wrote to memory of 1108	1668	zap9053.exe	tz2609.exe
PID 1668 wrote to memory of 3832	1668	zap9053.exe	v4656bd.exe
PID 1668 wrote to memory of 3832	1668	zap9053.exe	v4656bd.exe
PID 1668 wrote to memory of 3832	1668	zap9053.exe	v4656bd.exe
PID 1752 wrote to memory of 2092	1752	zap7364.exe	w07jX10.exe
PID 1752 wrote to memory of 2092	1752	zap7364.exe	w07jX10.exe
PID 1752 wrote to memory of 2092	1752	zap7364.exe	w07jX10.exe
PID 1036 wrote to memory of 2812	1036	zap9165.exe	xntuz45.exe
PID 1036 wrote to memory of 2812	1036	zap9165.exe	xntuz45.exe
PID 1036 wrote to memory of 2812	1036	zap9165.exe	xntuz45.exe
PID 2208 wrote to memory of 2884	2208	bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exe	y86RW23.exe
PID 2208 wrote to memory of 2884	2208	bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exe	y86RW23.exe
PID 2208 wrote to memory of 2884	2208	bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exe	y86RW23.exe
PID 2884 wrote to memory of 4908	2884	y86RW23.exe	oneetx.exe
PID 2884 wrote to memory of 4908	2884	y86RW23.exe	oneetx.exe
PID 2884 wrote to memory of 4908	2884	y86RW23.exe	oneetx.exe
PID 4908 wrote to memory of 3912	4908	oneetx.exe	schtasks.exe
PID 4908 wrote to memory of 3912	4908	oneetx.exe	schtasks.exe
PID 4908 wrote to memory of 3912	4908	oneetx.exe	schtasks.exe
PID 4908 wrote to memory of 4328	4908	oneetx.exe	cmd.exe
PID 4908 wrote to memory of 4328	4908	oneetx.exe	cmd.exe
PID 4908 wrote to memory of 4328	4908	oneetx.exe	cmd.exe
PID 4328 wrote to memory of 4632	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4632	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4632	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4748	4328	cmd.exe	cacls.exe
PID 4328 wrote to memory of 4748	4328	cmd.exe	cacls.exe
PID 4328 wrote to memory of 4748	4328	cmd.exe	cacls.exe
PID 4328 wrote to memory of 3632	4328	cmd.exe	cacls.exe
PID 4328 wrote to memory of 3632	4328	cmd.exe	cacls.exe
PID 4328 wrote to memory of 3632	4328	cmd.exe	cacls.exe
PID 4328 wrote to memory of 3280	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 3280	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 3280	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 3732	4328	cmd.exe	cacls.exe
PID 4328 wrote to memory of 3732	4328	cmd.exe	cacls.exe
PID 4328 wrote to memory of 3732	4328	cmd.exe	cacls.exe
PID 4328 wrote to memory of 1456	4328	cmd.exe	cacls.exe
PID 4328 wrote to memory of 1456	4328	cmd.exe	cacls.exe
PID 4328 wrote to memory of 1456	4328	cmd.exe	cacls.exe
PID 4908 wrote to memory of 1188	4908	oneetx.exe	rundll32.exe
PID 4908 wrote to memory of 1188	4908	oneetx.exe	rundll32.exe
PID 4908 wrote to memory of 1188	4908	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exe
"C:\Users\Admin\AppData\Local\Temp\bdfa6752704f261572d3b152e1f1f0ccc214a337a5066456c7f31430d3c03bc7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9165.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9165.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7364.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7364.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9053.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9053.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2609.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2609.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4656bd.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4656bd.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1056
6⤵
- Program crash
PID:3360

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w07jX10.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w07jX10.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1884
5⤵
- Program crash
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xntuz45.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xntuz45.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y86RW23.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y86RW23.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:3912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4632

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:4748

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3280

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:3732

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:1456

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3832 -ip 3832
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2092 -ip 2092
1⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:1168

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:2644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y86RW23.exe
Filesize
236KB

MD5
3c827286b7c0749931664ba86ba6a2cf

SHA1
228bb822b75a1acb9d78b947af780c16a22c3879

SHA256
882a94b59aef6d34ad84e4d78f197be9f075edc068ecb0178b8bdfa8bced6af6

SHA512
505740aef8bb5f46bb402af579c60afae9115a43ae689869de5e855bc69fc8b45e2ab5a1124e84fb9d62fc0e1cc9f4fd2e2a09b40141e4f289dff0be16991968

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y86RW23.exe
Filesize
236KB

MD5
3c827286b7c0749931664ba86ba6a2cf

SHA1
228bb822b75a1acb9d78b947af780c16a22c3879

SHA256
882a94b59aef6d34ad84e4d78f197be9f075edc068ecb0178b8bdfa8bced6af6

SHA512
505740aef8bb5f46bb402af579c60afae9115a43ae689869de5e855bc69fc8b45e2ab5a1124e84fb9d62fc0e1cc9f4fd2e2a09b40141e4f289dff0be16991968

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9165.exe
Filesize
807KB

MD5
f2f1904f3f6c54ea2dcfd1a7902f5e9a

SHA1
345210171862e3438fc20f5940db662f16a2be4f

SHA256
97e31fbcf4ffcb6e18f168b16f4f95f25887bc529b3e9c9a3485844e6ca10752

SHA512
64c66ed0677b43e83043668be514002bf3410c0c1006b954eee54f9651864a2a4de40a289a1ef35085153354ed43cfad7b0ea727299ddf4bd2dc9430faa24689

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9165.exe
Filesize
807KB

MD5
f2f1904f3f6c54ea2dcfd1a7902f5e9a

SHA1
345210171862e3438fc20f5940db662f16a2be4f

SHA256
97e31fbcf4ffcb6e18f168b16f4f95f25887bc529b3e9c9a3485844e6ca10752

SHA512
64c66ed0677b43e83043668be514002bf3410c0c1006b954eee54f9651864a2a4de40a289a1ef35085153354ed43cfad7b0ea727299ddf4bd2dc9430faa24689

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xntuz45.exe
Filesize
175KB

MD5
49826df2ac4bd4a2b638cabc9a192037

SHA1
bcf82e2ff19983b31b81f8909108d54b9e638411

SHA256
c8609cea43352c3398ca3b73736515a8c72edb71dbab1be8f219ef8dda6298b3

SHA512
a62daa553cd0d2257e628a6f503b149eb0bc9c70b2dfd526cffa106ef562302e5ff3f0f3cef426a48423ac1429bbfe362e942aa7ced67806f074fd760c16fe25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xntuz45.exe
Filesize
175KB

MD5
49826df2ac4bd4a2b638cabc9a192037

SHA1
bcf82e2ff19983b31b81f8909108d54b9e638411

SHA256
c8609cea43352c3398ca3b73736515a8c72edb71dbab1be8f219ef8dda6298b3

SHA512
a62daa553cd0d2257e628a6f503b149eb0bc9c70b2dfd526cffa106ef562302e5ff3f0f3cef426a48423ac1429bbfe362e942aa7ced67806f074fd760c16fe25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7364.exe
Filesize
665KB

MD5
e6bd3bde302bd3b2102302d11180ae5f

SHA1
f33a6cc8d3c0e9daa4bc845c0a676525bc933429

SHA256
a2c820b1f94ee809ca5cd9cf027e35575d608beaa149054de241ee0e7f4f4a22

SHA512
80252157539cd6bf0d19da4904cc318642e595b62232e94f05aea147b81774f1ca1b413a98217adfb8d53c8a237e89e3e2db143fa53f4c1e62f85f5ee1c5f110

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7364.exe
Filesize
665KB

MD5
e6bd3bde302bd3b2102302d11180ae5f

SHA1
f33a6cc8d3c0e9daa4bc845c0a676525bc933429

SHA256
a2c820b1f94ee809ca5cd9cf027e35575d608beaa149054de241ee0e7f4f4a22

SHA512
80252157539cd6bf0d19da4904cc318642e595b62232e94f05aea147b81774f1ca1b413a98217adfb8d53c8a237e89e3e2db143fa53f4c1e62f85f5ee1c5f110

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w07jX10.exe
Filesize
342KB

MD5
e6fd1b86a222b81eca215e66c18cb7ef

SHA1
b69b67120e0a5383ec67758693bbb9fb1cc29acb

SHA256
e83d0a3e7cba1ff0d1d2c9600dd33a283b2a40b6ce25cbf3fe1d462e495a34c6

SHA512
660f981f5728ed65abd31258ff3af26036567763c8073388cee551cf3d8fa46e060b05ff4428a3c8ca65fb49e7fb0965d2a7c8fbb2f6a36dd8e9abbe4c5f9b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w07jX10.exe
Filesize
342KB

MD5
e6fd1b86a222b81eca215e66c18cb7ef

SHA1
b69b67120e0a5383ec67758693bbb9fb1cc29acb

SHA256
e83d0a3e7cba1ff0d1d2c9600dd33a283b2a40b6ce25cbf3fe1d462e495a34c6

SHA512
660f981f5728ed65abd31258ff3af26036567763c8073388cee551cf3d8fa46e060b05ff4428a3c8ca65fb49e7fb0965d2a7c8fbb2f6a36dd8e9abbe4c5f9b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9053.exe
Filesize
329KB

MD5
cc00286d8e6744e8e90599f8af166122

SHA1
274c27b61983b72987580f2ad2b7eee8aaad64db

SHA256
911d216631abf4fbb8852f6f00b66447b377a028be05d92eebb42dee30d13239

SHA512
efbd9b2462a3dd409f2399937874d1044acacd6914b616ed75a63d05662fc67072e7a7d66fa4186508cf12291afc4c4894f4b584392aa6417afb661131c3da78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9053.exe
Filesize
329KB

MD5
cc00286d8e6744e8e90599f8af166122

SHA1
274c27b61983b72987580f2ad2b7eee8aaad64db

SHA256
911d216631abf4fbb8852f6f00b66447b377a028be05d92eebb42dee30d13239

SHA512
efbd9b2462a3dd409f2399937874d1044acacd6914b616ed75a63d05662fc67072e7a7d66fa4186508cf12291afc4c4894f4b584392aa6417afb661131c3da78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2609.exe
Filesize
12KB

MD5
e5d5a5039dbe34715d4ce530ba2ae586

SHA1
3a01947e236cd63c155fa4ad116ae58b5c53011f

SHA256
bb34ecdc8e5d1b7896cd8bb318d4c2712ee6c136f3979bdde55a840be5ec242a

SHA512
81dcd099eb2d0a0631f54b7dd02ac44bf5a293fa4c6fc77f183955146232d8c690b26aa0d1ce5cbaaafeeba86638febffffe134551d063125d3fb3612fcb9520

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2609.exe
Filesize
12KB

MD5
e5d5a5039dbe34715d4ce530ba2ae586

SHA1
3a01947e236cd63c155fa4ad116ae58b5c53011f

SHA256
bb34ecdc8e5d1b7896cd8bb318d4c2712ee6c136f3979bdde55a840be5ec242a

SHA512
81dcd099eb2d0a0631f54b7dd02ac44bf5a293fa4c6fc77f183955146232d8c690b26aa0d1ce5cbaaafeeba86638febffffe134551d063125d3fb3612fcb9520

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4656bd.exe
Filesize
284KB

MD5
e6c8a14afc762148733b30bb973c8a72

SHA1
a892c56d983b1623689e865da0727199a93a29b4

SHA256
488e5e5711a10e02a8dea7cfd15694f2c48a202977ad758274379306ca5357de

SHA512
262f9d616f6817dd2dc79d7f8c0cbc6774e0eb5a53c1cc4077fa01c04b15e8f2d14f8c0f32ede718a6c7261915295f29f8cd671f8a34d78c9413426ce2f395f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4656bd.exe
Filesize
284KB

MD5
e6c8a14afc762148733b30bb973c8a72

SHA1
a892c56d983b1623689e865da0727199a93a29b4

SHA256
488e5e5711a10e02a8dea7cfd15694f2c48a202977ad758274379306ca5357de

SHA512
262f9d616f6817dd2dc79d7f8c0cbc6774e0eb5a53c1cc4077fa01c04b15e8f2d14f8c0f32ede718a6c7261915295f29f8cd671f8a34d78c9413426ce2f395f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
3c827286b7c0749931664ba86ba6a2cf

SHA1
228bb822b75a1acb9d78b947af780c16a22c3879

SHA256
882a94b59aef6d34ad84e4d78f197be9f075edc068ecb0178b8bdfa8bced6af6

SHA512
505740aef8bb5f46bb402af579c60afae9115a43ae689869de5e855bc69fc8b45e2ab5a1124e84fb9d62fc0e1cc9f4fd2e2a09b40141e4f289dff0be16991968

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
3c827286b7c0749931664ba86ba6a2cf

SHA1
228bb822b75a1acb9d78b947af780c16a22c3879

SHA256
882a94b59aef6d34ad84e4d78f197be9f075edc068ecb0178b8bdfa8bced6af6

SHA512
505740aef8bb5f46bb402af579c60afae9115a43ae689869de5e855bc69fc8b45e2ab5a1124e84fb9d62fc0e1cc9f4fd2e2a09b40141e4f289dff0be16991968

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
3c827286b7c0749931664ba86ba6a2cf

SHA1
228bb822b75a1acb9d78b947af780c16a22c3879

SHA256
882a94b59aef6d34ad84e4d78f197be9f075edc068ecb0178b8bdfa8bced6af6

SHA512
505740aef8bb5f46bb402af579c60afae9115a43ae689869de5e855bc69fc8b45e2ab5a1124e84fb9d62fc0e1cc9f4fd2e2a09b40141e4f289dff0be16991968

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
3c827286b7c0749931664ba86ba6a2cf

SHA1
228bb822b75a1acb9d78b947af780c16a22c3879

SHA256
882a94b59aef6d34ad84e4d78f197be9f075edc068ecb0178b8bdfa8bced6af6

SHA512
505740aef8bb5f46bb402af579c60afae9115a43ae689869de5e855bc69fc8b45e2ab5a1124e84fb9d62fc0e1cc9f4fd2e2a09b40141e4f289dff0be16991968

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
3c827286b7c0749931664ba86ba6a2cf

SHA1
228bb822b75a1acb9d78b947af780c16a22c3879

SHA256
882a94b59aef6d34ad84e4d78f197be9f075edc068ecb0178b8bdfa8bced6af6

SHA512
505740aef8bb5f46bb402af579c60afae9115a43ae689869de5e855bc69fc8b45e2ab5a1124e84fb9d62fc0e1cc9f4fd2e2a09b40141e4f289dff0be16991968

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1108-161-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/2092-1127-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2092-244-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-1134-0x00000000097D0000-0x0000000009820000-memory.dmp

Filesize
320KB

Download
memory/2092-1133-0x0000000009730000-0x00000000097A6000-memory.dmp

Filesize
472KB

Download
memory/2092-1132-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2092-1131-0x00000000090E0000-0x000000000960C000-memory.dmp

Filesize
5.2MB

Download
memory/2092-1130-0x0000000008F00000-0x00000000090C2000-memory.dmp

Filesize
1.8MB

Download
memory/2092-1129-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/2092-1128-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2092-1126-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2092-1125-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/2092-209-0x0000000002CF0000-0x0000000002D3B000-memory.dmp

Filesize
300KB

Download
memory/2092-212-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2092-211-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-213-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-210-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2092-215-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2092-216-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-218-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-220-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-222-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-224-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-226-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-228-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-230-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-232-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-234-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-236-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-238-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-240-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-242-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-1123-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2092-246-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/2092-1119-0x0000000007960000-0x0000000007F78000-memory.dmp

Filesize
6.1MB

Download
memory/2092-1120-0x0000000007F80000-0x000000000808A000-memory.dmp

Filesize
1.0MB

Download
memory/2092-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/2092-1122-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/2812-1140-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2812-1142-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/2812-1141-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/3832-183-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-191-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-202-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3832-201-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3832-200-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/3832-199-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-197-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-195-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-185-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-193-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-187-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-204-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/3832-189-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-181-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-179-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-177-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-175-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-173-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-172-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3832-171-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3832-170-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3832-169-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3832-168-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/3832-167-0x0000000007300000-0x00000000078A4000-memory.dmp

Filesize
5.6MB

Download