amadey | 2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exe
Size

992KB
MD5

a9ab6425bb99a0e4569a1c574aba2591
SHA1

32ed4e43a7bcf6d65eba2c768ed5372c6c4edae8
SHA256

2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a
SHA512

53a9a579e0b85f122f2dc8638ac43849d399cbb0b2a8b1a47b5066ca170447472af0f7b191a4e9a5c6c500019c411c9f7e5f0c5026b0bf066015089e7a6e040e
SSDEEP

24576:5yYlQz4eXcxJS39MOSr/MH2rTFZrr/em18+skOscW:sYlQz4KqO00WrJZ3/3uts

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz2343.exev9294uD.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2343.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v9294uD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v9294uD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v9294uD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v9294uD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v9294uD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v9294uD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2343.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1656-211-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-212-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-214-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-216-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-218-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-220-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-223-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-228-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-227-0x0000000007290000-0x00000000072A0000-memory.dmp	family_redline
behavioral1/memory/1656-230-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-232-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-234-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-236-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-238-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-242-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-240-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-244-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-248-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/1656-246-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oneetx.exey82aC37.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	y82aC37.exe

Executes dropped EXE 11 IoCs

Processes:

zap5906.exezap4066.exezap9500.exetz2343.exev9294uD.exew11nJ98.exexiAsi10.exey82aC37.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
2120	zap5906.exe
2984	zap4066.exe
372	zap9500.exe
2764	tz2343.exe
2968	v9294uD.exe
1656	w11nJ98.exe
5068	xiAsi10.exe
5076	y82aC37.exe
3524	oneetx.exe
3696	oneetx.exe
3652	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

408 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
408	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz2343.exev9294uD.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2343.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v9294uD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v9294uD.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap9500.exe2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exezap5906.exezap4066.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap9500.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap5906.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4066.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap4066.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4992 2968 WerFault.exe v9294uD.exe
4868 1656 WerFault.exe w11nJ98.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2900 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz2343.exev9294uD.exew11nJ98.exexiAsi10.exe

pid process

2764 tz2343.exe
2764 tz2343.exe
2968 v9294uD.exe
2968 v9294uD.exe
1656 w11nJ98.exe
1656 w11nJ98.exe
5068 xiAsi10.exe
5068 xiAsi10.exe

pid	pid_target	process	target process
4992	2968	WerFault.exe	v9294uD.exe
4868	1656	WerFault.exe	w11nJ98.exe

pid	process
2900	schtasks.exe

pid	process
2764	tz2343.exe
2764	tz2343.exe
2968	v9294uD.exe
2968	v9294uD.exe
1656	w11nJ98.exe
1656	w11nJ98.exe
5068	xiAsi10.exe
5068	xiAsi10.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz2343.exev9294uD.exew11nJ98.exexiAsi10.exe

description	pid	process
Token: SeDebugPrivilege	2764	tz2343.exe
Token: SeDebugPrivilege	2968	v9294uD.exe
Token: SeDebugPrivilege	1656	w11nJ98.exe
Token: SeDebugPrivilege	5068	xiAsi10.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y82aC37.exe

pid process

5076 y82aC37.exe

pid	process
5076	y82aC37.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exezap5906.exezap4066.exezap9500.exey82aC37.exeoneetx.execmd.exe

description	pid	process	target process
PID 4956 wrote to memory of 2120	4956	2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exe	zap5906.exe
PID 4956 wrote to memory of 2120	4956	2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exe	zap5906.exe
PID 4956 wrote to memory of 2120	4956	2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exe	zap5906.exe
PID 2120 wrote to memory of 2984	2120	zap5906.exe	zap4066.exe
PID 2120 wrote to memory of 2984	2120	zap5906.exe	zap4066.exe
PID 2120 wrote to memory of 2984	2120	zap5906.exe	zap4066.exe
PID 2984 wrote to memory of 372	2984	zap4066.exe	zap9500.exe
PID 2984 wrote to memory of 372	2984	zap4066.exe	zap9500.exe
PID 2984 wrote to memory of 372	2984	zap4066.exe	zap9500.exe
PID 372 wrote to memory of 2764	372	zap9500.exe	tz2343.exe
PID 372 wrote to memory of 2764	372	zap9500.exe	tz2343.exe
PID 372 wrote to memory of 2968	372	zap9500.exe	v9294uD.exe
PID 372 wrote to memory of 2968	372	zap9500.exe	v9294uD.exe
PID 372 wrote to memory of 2968	372	zap9500.exe	v9294uD.exe
PID 2984 wrote to memory of 1656	2984	zap4066.exe	w11nJ98.exe
PID 2984 wrote to memory of 1656	2984	zap4066.exe	w11nJ98.exe
PID 2984 wrote to memory of 1656	2984	zap4066.exe	w11nJ98.exe
PID 2120 wrote to memory of 5068	2120	zap5906.exe	xiAsi10.exe
PID 2120 wrote to memory of 5068	2120	zap5906.exe	xiAsi10.exe
PID 2120 wrote to memory of 5068	2120	zap5906.exe	xiAsi10.exe
PID 4956 wrote to memory of 5076	4956	2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exe	y82aC37.exe
PID 4956 wrote to memory of 5076	4956	2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exe	y82aC37.exe
PID 4956 wrote to memory of 5076	4956	2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exe	y82aC37.exe
PID 5076 wrote to memory of 3524	5076	y82aC37.exe	oneetx.exe
PID 5076 wrote to memory of 3524	5076	y82aC37.exe	oneetx.exe
PID 5076 wrote to memory of 3524	5076	y82aC37.exe	oneetx.exe
PID 3524 wrote to memory of 2900	3524	oneetx.exe	schtasks.exe
PID 3524 wrote to memory of 2900	3524	oneetx.exe	schtasks.exe
PID 3524 wrote to memory of 2900	3524	oneetx.exe	schtasks.exe
PID 3524 wrote to memory of 1672	3524	oneetx.exe	cmd.exe
PID 3524 wrote to memory of 1672	3524	oneetx.exe	cmd.exe
PID 3524 wrote to memory of 1672	3524	oneetx.exe	cmd.exe
PID 1672 wrote to memory of 2400	1672	cmd.exe	cmd.exe
PID 1672 wrote to memory of 2400	1672	cmd.exe	cmd.exe
PID 1672 wrote to memory of 2400	1672	cmd.exe	cmd.exe
PID 1672 wrote to memory of 2260	1672	cmd.exe	cacls.exe
PID 1672 wrote to memory of 2260	1672	cmd.exe	cacls.exe
PID 1672 wrote to memory of 2260	1672	cmd.exe	cacls.exe
PID 1672 wrote to memory of 920	1672	cmd.exe	cacls.exe
PID 1672 wrote to memory of 920	1672	cmd.exe	cacls.exe
PID 1672 wrote to memory of 920	1672	cmd.exe	cacls.exe
PID 1672 wrote to memory of 4592	1672	cmd.exe	cmd.exe
PID 1672 wrote to memory of 4592	1672	cmd.exe	cmd.exe
PID 1672 wrote to memory of 4592	1672	cmd.exe	cmd.exe
PID 1672 wrote to memory of 3136	1672	cmd.exe	cacls.exe
PID 1672 wrote to memory of 3136	1672	cmd.exe	cacls.exe
PID 1672 wrote to memory of 3136	1672	cmd.exe	cacls.exe
PID 1672 wrote to memory of 1572	1672	cmd.exe	cacls.exe
PID 1672 wrote to memory of 1572	1672	cmd.exe	cacls.exe
PID 1672 wrote to memory of 1572	1672	cmd.exe	cacls.exe
PID 3524 wrote to memory of 408	3524	oneetx.exe	rundll32.exe
PID 3524 wrote to memory of 408	3524	oneetx.exe	rundll32.exe
PID 3524 wrote to memory of 408	3524	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exe
"C:\Users\Admin\AppData\Local\Temp\2a8ecd9ac311d6ab88e8ddf96926b3e71f9bc0df082f69b823235761394ed81a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4956

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5906.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5906.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4066.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4066.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9500.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9500.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2343.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2343.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9294uD.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9294uD.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1076
6⤵
- Program crash
PID:4992

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11nJ98.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11nJ98.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1352
5⤵
- Program crash
PID:4868

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xiAsi10.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xiAsi10.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82aC37.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82aC37.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5076

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2400

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:2260

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4592

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:3136

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:1572

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2968 -ip 2968
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1656 -ip 1656
1⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:3652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82aC37.exe
Filesize
236KB

MD5
a31a46a96c8c7276445f0f7d21451a93

SHA1
a1822ffc97e9a3d0e0b3e3db873fc951342e5f3f

SHA256
15846e3aceaa89aea0e6f4f5ae5b42e3803eefa184cf27a9c9ca2d0213d7a635

SHA512
be06f487a982b16d0de15566c8d9fd135f943acc7b887cccd619beabec08ab03bc23bcdb8b4d7b81529e17d7319ec7b3c69ba6f6679051bc76ac72d83e92c60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82aC37.exe
Filesize
236KB

MD5
a31a46a96c8c7276445f0f7d21451a93

SHA1
a1822ffc97e9a3d0e0b3e3db873fc951342e5f3f

SHA256
15846e3aceaa89aea0e6f4f5ae5b42e3803eefa184cf27a9c9ca2d0213d7a635

SHA512
be06f487a982b16d0de15566c8d9fd135f943acc7b887cccd619beabec08ab03bc23bcdb8b4d7b81529e17d7319ec7b3c69ba6f6679051bc76ac72d83e92c60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5906.exe
Filesize
807KB

MD5
933df520b1746399ffb5ded17b8a5a8d

SHA1
dc6facba7e3eca6752ecef068ba9df9957234eeb

SHA256
00854ef279b67a881ddaf243b08f6dd411dfa5ad7aff61674d4e0cd69ad5717d

SHA512
d9a8942d3060deb2c04c5d28706fe33bf8108b150f130b148cea471d83599487dc62958a45702acd04dd697196613e01660daa8e312ce9605ccc8e5f7c69bb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5906.exe
Filesize
807KB

MD5
933df520b1746399ffb5ded17b8a5a8d

SHA1
dc6facba7e3eca6752ecef068ba9df9957234eeb

SHA256
00854ef279b67a881ddaf243b08f6dd411dfa5ad7aff61674d4e0cd69ad5717d

SHA512
d9a8942d3060deb2c04c5d28706fe33bf8108b150f130b148cea471d83599487dc62958a45702acd04dd697196613e01660daa8e312ce9605ccc8e5f7c69bb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xiAsi10.exe
Filesize
175KB

MD5
8d4d147e5cc356abc88d023a346fc9bc

SHA1
3e61049b2d6c08d03cf1d55d0e1e85d8237afa29

SHA256
906f89c90f4bae4ef6247e2f47bc0f13feff22300e9fa6209d6b278fcd5c0dd2

SHA512
98c032ab2e120f12d1816357e8abff31e864869f43bb605babb58976871cf6717c0694e12da1165cc0dc3ccd05b22de834efcc89ef9a279e277437c68798c72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xiAsi10.exe
Filesize
175KB

MD5
8d4d147e5cc356abc88d023a346fc9bc

SHA1
3e61049b2d6c08d03cf1d55d0e1e85d8237afa29

SHA256
906f89c90f4bae4ef6247e2f47bc0f13feff22300e9fa6209d6b278fcd5c0dd2

SHA512
98c032ab2e120f12d1816357e8abff31e864869f43bb605babb58976871cf6717c0694e12da1165cc0dc3ccd05b22de834efcc89ef9a279e277437c68798c72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4066.exe
Filesize
666KB

MD5
e0b8bf5caa4aa385df4d33b782cbd293

SHA1
4da88da56dc454c1cff408ed2ddc4afb6408bea3

SHA256
0bb4fdffd55b84a42eed55904159cb93e5b86f192dfa416839112787ccfd43a9

SHA512
ab5f98b4449dd84b6c6e9385b2009ce7f135caac72d0dffe6f98dfecc78226ca7736db84a400fa3b2b9e3952fa484be533b2f2aaa4bc39b912bd0f41826d568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4066.exe
Filesize
666KB

MD5
e0b8bf5caa4aa385df4d33b782cbd293

SHA1
4da88da56dc454c1cff408ed2ddc4afb6408bea3

SHA256
0bb4fdffd55b84a42eed55904159cb93e5b86f192dfa416839112787ccfd43a9

SHA512
ab5f98b4449dd84b6c6e9385b2009ce7f135caac72d0dffe6f98dfecc78226ca7736db84a400fa3b2b9e3952fa484be533b2f2aaa4bc39b912bd0f41826d568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11nJ98.exe
Filesize
342KB

MD5
4deeb565261d9f20dcf01d87c0af5748

SHA1
89c2f9856e09572213000a79645243454d17bb16

SHA256
9d5d8e77f2deaf58e4581f3f6afc1584f3a01aba0107951f60d21d17429d8b51

SHA512
4a00f72437dbe2c91037be18ae84f0366275bfa35588f3d288ca0889aa07536cafb3f040e106e13b5a310795387c1c585a77b3088d468fa2cbc2fe01394c3bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11nJ98.exe
Filesize
342KB

MD5
4deeb565261d9f20dcf01d87c0af5748

SHA1
89c2f9856e09572213000a79645243454d17bb16

SHA256
9d5d8e77f2deaf58e4581f3f6afc1584f3a01aba0107951f60d21d17429d8b51

SHA512
4a00f72437dbe2c91037be18ae84f0366275bfa35588f3d288ca0889aa07536cafb3f040e106e13b5a310795387c1c585a77b3088d468fa2cbc2fe01394c3bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9500.exe
Filesize
329KB

MD5
c1b66fe0f2a6664f1f84f3d6a82c2617

SHA1
c8f40c5abd716a71eded288ef8c0d39741ce3a0d

SHA256
935eb47379101569d84cca64d152b8c6c669d554c831a4d97aedacc3807baafc

SHA512
6bed7e244056dd2b6d02857b28e5a273e6c0b943c7d864345c801a9cbd3d95067688c7b1b0152450a9492b4ff0c8ebc462ec97dfadbdbc0a93a646b4f4bffc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9500.exe
Filesize
329KB

MD5
c1b66fe0f2a6664f1f84f3d6a82c2617

SHA1
c8f40c5abd716a71eded288ef8c0d39741ce3a0d

SHA256
935eb47379101569d84cca64d152b8c6c669d554c831a4d97aedacc3807baafc

SHA512
6bed7e244056dd2b6d02857b28e5a273e6c0b943c7d864345c801a9cbd3d95067688c7b1b0152450a9492b4ff0c8ebc462ec97dfadbdbc0a93a646b4f4bffc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2343.exe
Filesize
12KB

MD5
4f0067fbe90174aa4976a2bb1d0dbf91

SHA1
6334ff3713f0c9d11cbe7d746856c06fd0f934e9

SHA256
f73a90a9a8406035dbb3fab1a7382db4ee4afc2763baaac7cd414b867af2d133

SHA512
49c140176dbea1807c9197fdacdb6dd9acf81c5385f75747633b9ffdba7a72f7cc98601ba537d72a955f656d774b913fc89a2a8e3f7ec5ea32160b855266aa2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2343.exe
Filesize
12KB

MD5
4f0067fbe90174aa4976a2bb1d0dbf91

SHA1
6334ff3713f0c9d11cbe7d746856c06fd0f934e9

SHA256
f73a90a9a8406035dbb3fab1a7382db4ee4afc2763baaac7cd414b867af2d133

SHA512
49c140176dbea1807c9197fdacdb6dd9acf81c5385f75747633b9ffdba7a72f7cc98601ba537d72a955f656d774b913fc89a2a8e3f7ec5ea32160b855266aa2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9294uD.exe
Filesize
284KB

MD5
dc6a8d3c8c81d2804038c0c27d813533

SHA1
44338f0d703586869c51b2a7ee5157178993aaa6

SHA256
c80b1e4b693faf45434f2144e906826df6b2ce0d8cc2a5ecf625e74aa06a9a51

SHA512
e6c5db3957e11fb59e52b5a3603ebf4b17074f7492171064f94c0260e2eedb4445ddc5589be99bb5f58bfcc64aee41224205b79f029dfafc5371272c0b192fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9294uD.exe
Filesize
284KB

MD5
dc6a8d3c8c81d2804038c0c27d813533

SHA1
44338f0d703586869c51b2a7ee5157178993aaa6

SHA256
c80b1e4b693faf45434f2144e906826df6b2ce0d8cc2a5ecf625e74aa06a9a51

SHA512
e6c5db3957e11fb59e52b5a3603ebf4b17074f7492171064f94c0260e2eedb4445ddc5589be99bb5f58bfcc64aee41224205b79f029dfafc5371272c0b192fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a31a46a96c8c7276445f0f7d21451a93

SHA1
a1822ffc97e9a3d0e0b3e3db873fc951342e5f3f

SHA256
15846e3aceaa89aea0e6f4f5ae5b42e3803eefa184cf27a9c9ca2d0213d7a635

SHA512
be06f487a982b16d0de15566c8d9fd135f943acc7b887cccd619beabec08ab03bc23bcdb8b4d7b81529e17d7319ec7b3c69ba6f6679051bc76ac72d83e92c60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a31a46a96c8c7276445f0f7d21451a93

SHA1
a1822ffc97e9a3d0e0b3e3db873fc951342e5f3f

SHA256
15846e3aceaa89aea0e6f4f5ae5b42e3803eefa184cf27a9c9ca2d0213d7a635

SHA512
be06f487a982b16d0de15566c8d9fd135f943acc7b887cccd619beabec08ab03bc23bcdb8b4d7b81529e17d7319ec7b3c69ba6f6679051bc76ac72d83e92c60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a31a46a96c8c7276445f0f7d21451a93

SHA1
a1822ffc97e9a3d0e0b3e3db873fc951342e5f3f

SHA256
15846e3aceaa89aea0e6f4f5ae5b42e3803eefa184cf27a9c9ca2d0213d7a635

SHA512
be06f487a982b16d0de15566c8d9fd135f943acc7b887cccd619beabec08ab03bc23bcdb8b4d7b81529e17d7319ec7b3c69ba6f6679051bc76ac72d83e92c60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a31a46a96c8c7276445f0f7d21451a93

SHA1
a1822ffc97e9a3d0e0b3e3db873fc951342e5f3f

SHA256
15846e3aceaa89aea0e6f4f5ae5b42e3803eefa184cf27a9c9ca2d0213d7a635

SHA512
be06f487a982b16d0de15566c8d9fd135f943acc7b887cccd619beabec08ab03bc23bcdb8b4d7b81529e17d7319ec7b3c69ba6f6679051bc76ac72d83e92c60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a31a46a96c8c7276445f0f7d21451a93

SHA1
a1822ffc97e9a3d0e0b3e3db873fc951342e5f3f

SHA256
15846e3aceaa89aea0e6f4f5ae5b42e3803eefa184cf27a9c9ca2d0213d7a635

SHA512
be06f487a982b16d0de15566c8d9fd135f943acc7b887cccd619beabec08ab03bc23bcdb8b4d7b81529e17d7319ec7b3c69ba6f6679051bc76ac72d83e92c60f

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1656-1128-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1656-240-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-1135-0x0000000008F70000-0x000000000949C000-memory.dmp

Filesize
5.2MB

Download
memory/1656-1134-0x0000000008DA0000-0x0000000008F62000-memory.dmp

Filesize
1.8MB

Download
memory/1656-1133-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1656-1132-0x0000000008AB0000-0x0000000008B00000-memory.dmp

Filesize
320KB

Download
memory/1656-1131-0x0000000008A20000-0x0000000008A96000-memory.dmp

Filesize
472KB

Download
memory/1656-1130-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/1656-1129-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/1656-1127-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1656-1125-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1656-1124-0x0000000007FA0000-0x0000000007FDC000-memory.dmp

Filesize
240KB

Download
memory/1656-1123-0x0000000007F80000-0x0000000007F92000-memory.dmp

Filesize
72KB

Download
memory/1656-211-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-212-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-214-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-216-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-218-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-220-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-222-0x0000000002E30000-0x0000000002E7B000-memory.dmp

Filesize
300KB

Download
memory/1656-224-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1656-226-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1656-223-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-228-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-227-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1656-230-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-232-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-234-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-236-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-238-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-242-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-1122-0x0000000007E70000-0x0000000007F7A000-memory.dmp

Filesize
1.0MB

Download
memory/1656-244-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-248-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-246-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/1656-1121-0x0000000007850000-0x0000000007E68000-memory.dmp

Filesize
6.1MB

Download
memory/2764-161-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/2968-182-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-188-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-186-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-204-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2968-184-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-202-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2968-203-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2968-201-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/2968-200-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-198-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-196-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-194-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-206-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/2968-190-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-174-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2968-192-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-180-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-178-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-176-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2968-173-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2968-175-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-168-0x00000000047B0000-0x00000000047DD000-memory.dmp

Filesize
180KB

Download
memory/2968-171-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-170-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2968-169-0x00000000070F0000-0x0000000007694000-memory.dmp

Filesize
5.6MB

Download
memory/5068-1141-0x0000000000D40000-0x0000000000D72000-memory.dmp

Filesize
200KB

Download
memory/5068-1142-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download