amadey | 9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f

Analysis

max time kernel
111s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exe
Size

991KB
MD5

867840a479a292aefdae8b8f10011a31
SHA1

5a8d1dc5c178d5f580000c1e3a5d18c8730b2e99
SHA256

9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f
SHA512

e4b259bf71201c3272d7e20cc06caefd51ac14c48a2d3f0ba2156bc749a5de055d412a6233b01cfd6a52c4254e8e6691dcae1e0548c0574ed5397ce8bc3c857b
SSDEEP

24576:zy9OUFGiHTYutACP5o9J6QvFDDlkmD4LeTsR:G4UFp+Ci9J3vJpFDGeI

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v5713Rx.exetz5850.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5713Rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5713Rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5713Rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5713Rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz5850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz5850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz5850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz5850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz5850.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v5713Rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5713Rx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz5850.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1208-215-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-214-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-217-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-219-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-221-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-223-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-225-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-231-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-229-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-227-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-233-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-237-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-235-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-239-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-241-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-243-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-245-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1208-247-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oneetx.exey44oN64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y44oN64.exe

Executes dropped EXE 10 IoCs

Processes:

zap8363.exezap5912.exezap7707.exetz5850.exev5713Rx.exew84bG97.exexxUFJ39.exey44oN64.exeoneetx.exeoneetx.exe

pid	process
4352	zap8363.exe
4324	zap5912.exe
1496	zap7707.exe
1720	tz5850.exe
1204	v5713Rx.exe
1208	w84bG97.exe
2168	xxUFJ39.exe
1552	y44oN64.exe
4792	oneetx.exe
3568	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4984 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4984	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v5713Rx.exetz5850.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5713Rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5713Rx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz5850.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exezap8363.exezap5912.exezap7707.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap8363.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap5912.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7707.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7707.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2460 1204 WerFault.exe v5713Rx.exe
2064 1208 WerFault.exe w84bG97.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3928 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz5850.exev5713Rx.exew84bG97.exexxUFJ39.exe

pid process

1720 tz5850.exe
1720 tz5850.exe
1204 v5713Rx.exe
1204 v5713Rx.exe
1208 w84bG97.exe
1208 w84bG97.exe
2168 xxUFJ39.exe
2168 xxUFJ39.exe

pid	pid_target	process	target process
2460	1204	WerFault.exe	v5713Rx.exe
2064	1208	WerFault.exe	w84bG97.exe

pid	process
3928	schtasks.exe

pid	process
1720	tz5850.exe
1720	tz5850.exe
1204	v5713Rx.exe
1204	v5713Rx.exe
1208	w84bG97.exe
1208	w84bG97.exe
2168	xxUFJ39.exe
2168	xxUFJ39.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz5850.exev5713Rx.exew84bG97.exexxUFJ39.exe

description	pid	process
Token: SeDebugPrivilege	1720	tz5850.exe
Token: SeDebugPrivilege	1204	v5713Rx.exe
Token: SeDebugPrivilege	1208	w84bG97.exe
Token: SeDebugPrivilege	2168	xxUFJ39.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y44oN64.exe

pid process

1552 y44oN64.exe

pid	process
1552	y44oN64.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exezap8363.exezap5912.exezap7707.exey44oN64.exeoneetx.execmd.exe

description	pid	process	target process
PID 1280 wrote to memory of 4352	1280	9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exe	zap8363.exe
PID 1280 wrote to memory of 4352	1280	9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exe	zap8363.exe
PID 1280 wrote to memory of 4352	1280	9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exe	zap8363.exe
PID 4352 wrote to memory of 4324	4352	zap8363.exe	zap5912.exe
PID 4352 wrote to memory of 4324	4352	zap8363.exe	zap5912.exe
PID 4352 wrote to memory of 4324	4352	zap8363.exe	zap5912.exe
PID 4324 wrote to memory of 1496	4324	zap5912.exe	zap7707.exe
PID 4324 wrote to memory of 1496	4324	zap5912.exe	zap7707.exe
PID 4324 wrote to memory of 1496	4324	zap5912.exe	zap7707.exe
PID 1496 wrote to memory of 1720	1496	zap7707.exe	tz5850.exe
PID 1496 wrote to memory of 1720	1496	zap7707.exe	tz5850.exe
PID 1496 wrote to memory of 1204	1496	zap7707.exe	v5713Rx.exe
PID 1496 wrote to memory of 1204	1496	zap7707.exe	v5713Rx.exe
PID 1496 wrote to memory of 1204	1496	zap7707.exe	v5713Rx.exe
PID 4324 wrote to memory of 1208	4324	zap5912.exe	w84bG97.exe
PID 4324 wrote to memory of 1208	4324	zap5912.exe	w84bG97.exe
PID 4324 wrote to memory of 1208	4324	zap5912.exe	w84bG97.exe
PID 4352 wrote to memory of 2168	4352	zap8363.exe	xxUFJ39.exe
PID 4352 wrote to memory of 2168	4352	zap8363.exe	xxUFJ39.exe
PID 4352 wrote to memory of 2168	4352	zap8363.exe	xxUFJ39.exe
PID 1280 wrote to memory of 1552	1280	9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exe	y44oN64.exe
PID 1280 wrote to memory of 1552	1280	9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exe	y44oN64.exe
PID 1280 wrote to memory of 1552	1280	9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exe	y44oN64.exe
PID 1552 wrote to memory of 4792	1552	y44oN64.exe	oneetx.exe
PID 1552 wrote to memory of 4792	1552	y44oN64.exe	oneetx.exe
PID 1552 wrote to memory of 4792	1552	y44oN64.exe	oneetx.exe
PID 4792 wrote to memory of 3928	4792	oneetx.exe	schtasks.exe
PID 4792 wrote to memory of 3928	4792	oneetx.exe	schtasks.exe
PID 4792 wrote to memory of 3928	4792	oneetx.exe	schtasks.exe
PID 4792 wrote to memory of 772	4792	oneetx.exe	cmd.exe
PID 4792 wrote to memory of 772	4792	oneetx.exe	cmd.exe
PID 4792 wrote to memory of 772	4792	oneetx.exe	cmd.exe
PID 772 wrote to memory of 4772	772	cmd.exe	cmd.exe
PID 772 wrote to memory of 4772	772	cmd.exe	cmd.exe
PID 772 wrote to memory of 4772	772	cmd.exe	cmd.exe
PID 772 wrote to memory of 3612	772	cmd.exe	cacls.exe
PID 772 wrote to memory of 3612	772	cmd.exe	cacls.exe
PID 772 wrote to memory of 3612	772	cmd.exe	cacls.exe
PID 772 wrote to memory of 2296	772	cmd.exe	cacls.exe
PID 772 wrote to memory of 2296	772	cmd.exe	cacls.exe
PID 772 wrote to memory of 2296	772	cmd.exe	cacls.exe
PID 772 wrote to memory of 4688	772	cmd.exe	cmd.exe
PID 772 wrote to memory of 4688	772	cmd.exe	cmd.exe
PID 772 wrote to memory of 4688	772	cmd.exe	cmd.exe
PID 772 wrote to memory of 3232	772	cmd.exe	cacls.exe
PID 772 wrote to memory of 3232	772	cmd.exe	cacls.exe
PID 772 wrote to memory of 3232	772	cmd.exe	cacls.exe
PID 772 wrote to memory of 1860	772	cmd.exe	cacls.exe
PID 772 wrote to memory of 1860	772	cmd.exe	cacls.exe
PID 772 wrote to memory of 1860	772	cmd.exe	cacls.exe
PID 4792 wrote to memory of 4984	4792	oneetx.exe	rundll32.exe
PID 4792 wrote to memory of 4984	4792	oneetx.exe	rundll32.exe
PID 4792 wrote to memory of 4984	4792	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exe
"C:\Users\Admin\AppData\Local\Temp\9d75ff57dc1cf2e24826c747d93dc0ce983f268a556a47f7e7cbb6f13021746f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8363.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8363.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4352

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5912.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5912.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7707.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7707.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5850.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5850.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5713Rx.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5713Rx.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1084
6⤵
- Program crash
PID:2460

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84bG97.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84bG97.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1328
5⤵
- Program crash
PID:2064

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xxUFJ39.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xxUFJ39.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y44oN64.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y44oN64.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:3928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4772

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:3612

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4688

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:3232

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:1860

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1204 -ip 1204
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1208 -ip 1208
1⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:3568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y44oN64.exe
Filesize
236KB

MD5
7797415f49432c926a635f48fd8eeea2

SHA1
9f3eee9586798645867293dac1db38f941ccf520

SHA256
209b43ddad475843c7004414f446a9fe7e927d401e178e05e95db08e46afbcbf

SHA512
94572a86f09ebe9c8cf79b630e25f3834401f5c2b0841c2209a0cf0ed708a899f03c1bb1ccf8fe000ca3a4b86a34336796ad76b238c08165362c9a45f4d5b554

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y44oN64.exe
Filesize
236KB

MD5
7797415f49432c926a635f48fd8eeea2

SHA1
9f3eee9586798645867293dac1db38f941ccf520

SHA256
209b43ddad475843c7004414f446a9fe7e927d401e178e05e95db08e46afbcbf

SHA512
94572a86f09ebe9c8cf79b630e25f3834401f5c2b0841c2209a0cf0ed708a899f03c1bb1ccf8fe000ca3a4b86a34336796ad76b238c08165362c9a45f4d5b554

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8363.exe
Filesize
807KB

MD5
6511bad0281c18e450261b081297f4ba

SHA1
36bb951be22798766203cf1fe223a1843589534a

SHA256
78882d1590c96dc9fbdbba55c462f6bb3784a9b32f42c5ade6f3813583dab490

SHA512
03aec96067fbe9d616be69ab122f9f8f34c368b322c089420b65b0345d772a44116d9bd5b0f9d1ba9563cc97336e2ed41aa1359eea250a598d614804d494b53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8363.exe
Filesize
807KB

MD5
6511bad0281c18e450261b081297f4ba

SHA1
36bb951be22798766203cf1fe223a1843589534a

SHA256
78882d1590c96dc9fbdbba55c462f6bb3784a9b32f42c5ade6f3813583dab490

SHA512
03aec96067fbe9d616be69ab122f9f8f34c368b322c089420b65b0345d772a44116d9bd5b0f9d1ba9563cc97336e2ed41aa1359eea250a598d614804d494b53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xxUFJ39.exe
Filesize
175KB

MD5
1549965f24c01bc61be7af3199289abf

SHA1
193caa70092332e6eefb71d2c77fca03298a14fc

SHA256
6da70e0806cc39eafbdf0dc1a1d7db693cf43705338b7e6892d95b13d5f9261d

SHA512
c5c5f5c0635052bc0cc140be5a1a46dbb9f3e0e5f20a3aa0952a3be9b8825812fc51ca7b3e1305bafda16ed1163dd0c45959efa6e66547b305f69781d6d730a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xxUFJ39.exe
Filesize
175KB

MD5
1549965f24c01bc61be7af3199289abf

SHA1
193caa70092332e6eefb71d2c77fca03298a14fc

SHA256
6da70e0806cc39eafbdf0dc1a1d7db693cf43705338b7e6892d95b13d5f9261d

SHA512
c5c5f5c0635052bc0cc140be5a1a46dbb9f3e0e5f20a3aa0952a3be9b8825812fc51ca7b3e1305bafda16ed1163dd0c45959efa6e66547b305f69781d6d730a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5912.exe
Filesize
665KB

MD5
e6cb1d63c9131b37092e46ed02c8dcdb

SHA1
0472257a4740df5dffa02197da4897494b777459

SHA256
5a4537ba7c116966e12da82a7c91a35b91636e2ddda8f0ff9a03fd1ceb5078dd

SHA512
81d6b60bb2a07dc20b209a1cfcbe199453f72c411ccc03d89a02bd647cafdfe965a69d598aba27a95bd5ca7ef1d49828508d7d4eaab8e70c4f5ae58c0831a8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5912.exe
Filesize
665KB

MD5
e6cb1d63c9131b37092e46ed02c8dcdb

SHA1
0472257a4740df5dffa02197da4897494b777459

SHA256
5a4537ba7c116966e12da82a7c91a35b91636e2ddda8f0ff9a03fd1ceb5078dd

SHA512
81d6b60bb2a07dc20b209a1cfcbe199453f72c411ccc03d89a02bd647cafdfe965a69d598aba27a95bd5ca7ef1d49828508d7d4eaab8e70c4f5ae58c0831a8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84bG97.exe
Filesize
342KB

MD5
87ec7b65bd7f02044b128b6ff63608af

SHA1
590b5c2364fbde4f703a1494bad2bc4f7f4635a7

SHA256
5479c0b602089d77f8ec946dcf308235452aa5d4a9358e6f7564af8431eef6f5

SHA512
be6f51f35d84abf0261011155fd9dddbc839cddb7b2c423e6b8e9e2c58b9a5bd2085b41db86aaaab7b1a087fe9f22696fa3ec66606bdf78e937de3fbb48c0315

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84bG97.exe
Filesize
342KB

MD5
87ec7b65bd7f02044b128b6ff63608af

SHA1
590b5c2364fbde4f703a1494bad2bc4f7f4635a7

SHA256
5479c0b602089d77f8ec946dcf308235452aa5d4a9358e6f7564af8431eef6f5

SHA512
be6f51f35d84abf0261011155fd9dddbc839cddb7b2c423e6b8e9e2c58b9a5bd2085b41db86aaaab7b1a087fe9f22696fa3ec66606bdf78e937de3fbb48c0315

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7707.exe
Filesize
329KB

MD5
4c3760f8b4d7022ec4b8264aae834ba6

SHA1
f5ed27c3873306c9c2102625bb4af9fa4cfcb8fc

SHA256
e6d70d0f0082d7d5c25ad0e436f2efc0fb86e0168c16fdbced12c71da075f584

SHA512
21e2cbfff7c339c57a3408d52c16bd87233d11b63885b1a80476ce1ed32aa38f014f8e8a6ab2bb11f5f08371506be90373b32513998793a98d989912fd7a42fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7707.exe
Filesize
329KB

MD5
4c3760f8b4d7022ec4b8264aae834ba6

SHA1
f5ed27c3873306c9c2102625bb4af9fa4cfcb8fc

SHA256
e6d70d0f0082d7d5c25ad0e436f2efc0fb86e0168c16fdbced12c71da075f584

SHA512
21e2cbfff7c339c57a3408d52c16bd87233d11b63885b1a80476ce1ed32aa38f014f8e8a6ab2bb11f5f08371506be90373b32513998793a98d989912fd7a42fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5850.exe
Filesize
12KB

MD5
93bcba22f06df8fb86c113973eb20f15

SHA1
a8eed1517b821fe413cba650de349607f73b8c69

SHA256
8322ca1167bd88052e7a2c26eaf5b0d34494d1b899aa5efa4c4f0aaf515151fc

SHA512
14cb24f0c2539160764d932a3f7a43c72acb95a7b4009f975f7f2fb04749735151fc5fb84f2599de162cabe37f43ac1ec4fbe51c14f3e049329a377720f52960

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5850.exe
Filesize
12KB

MD5
93bcba22f06df8fb86c113973eb20f15

SHA1
a8eed1517b821fe413cba650de349607f73b8c69

SHA256
8322ca1167bd88052e7a2c26eaf5b0d34494d1b899aa5efa4c4f0aaf515151fc

SHA512
14cb24f0c2539160764d932a3f7a43c72acb95a7b4009f975f7f2fb04749735151fc5fb84f2599de162cabe37f43ac1ec4fbe51c14f3e049329a377720f52960

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5713Rx.exe
Filesize
284KB

MD5
ec49713ceb3e4efca7a006c036651fe3

SHA1
625d677552006572fc944a5de95a44de3f1f87d2

SHA256
1026b169b188cc5783cb28214b26cac172b910784153577ed235453422c21c59

SHA512
f686d66d86eaa103d116f00b145f0e407f6e2c0bd240a884cff3367f1998c6bc62d9ca488573be3a8b0faa8a900310205973943e4d25b2fedac34846f8e70feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5713Rx.exe
Filesize
284KB

MD5
ec49713ceb3e4efca7a006c036651fe3

SHA1
625d677552006572fc944a5de95a44de3f1f87d2

SHA256
1026b169b188cc5783cb28214b26cac172b910784153577ed235453422c21c59

SHA512
f686d66d86eaa103d116f00b145f0e407f6e2c0bd240a884cff3367f1998c6bc62d9ca488573be3a8b0faa8a900310205973943e4d25b2fedac34846f8e70feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
7797415f49432c926a635f48fd8eeea2

SHA1
9f3eee9586798645867293dac1db38f941ccf520

SHA256
209b43ddad475843c7004414f446a9fe7e927d401e178e05e95db08e46afbcbf

SHA512
94572a86f09ebe9c8cf79b630e25f3834401f5c2b0841c2209a0cf0ed708a899f03c1bb1ccf8fe000ca3a4b86a34336796ad76b238c08165362c9a45f4d5b554

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
7797415f49432c926a635f48fd8eeea2

SHA1
9f3eee9586798645867293dac1db38f941ccf520

SHA256
209b43ddad475843c7004414f446a9fe7e927d401e178e05e95db08e46afbcbf

SHA512
94572a86f09ebe9c8cf79b630e25f3834401f5c2b0841c2209a0cf0ed708a899f03c1bb1ccf8fe000ca3a4b86a34336796ad76b238c08165362c9a45f4d5b554

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
7797415f49432c926a635f48fd8eeea2

SHA1
9f3eee9586798645867293dac1db38f941ccf520

SHA256
209b43ddad475843c7004414f446a9fe7e927d401e178e05e95db08e46afbcbf

SHA512
94572a86f09ebe9c8cf79b630e25f3834401f5c2b0841c2209a0cf0ed708a899f03c1bb1ccf8fe000ca3a4b86a34336796ad76b238c08165362c9a45f4d5b554

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
7797415f49432c926a635f48fd8eeea2

SHA1
9f3eee9586798645867293dac1db38f941ccf520

SHA256
209b43ddad475843c7004414f446a9fe7e927d401e178e05e95db08e46afbcbf

SHA512
94572a86f09ebe9c8cf79b630e25f3834401f5c2b0841c2209a0cf0ed708a899f03c1bb1ccf8fe000ca3a4b86a34336796ad76b238c08165362c9a45f4d5b554

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1204-184-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-204-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1204-188-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-190-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-192-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-194-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-196-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-197-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1204-198-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1204-199-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1204-200-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/1204-202-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1204-203-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1204-186-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-205-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/1204-182-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-180-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-178-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-176-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-174-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-172-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-170-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-169-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1204-168-0x00000000071D0000-0x0000000007774000-memory.dmp

Filesize
5.6MB

Download
memory/1204-167-0x0000000002D10000-0x0000000002D3D000-memory.dmp

Filesize
180KB

Download
memory/1208-214-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-1128-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1208-229-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-227-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-233-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-237-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-235-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-239-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-241-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-243-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-245-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-247-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-1120-0x00000000077C0000-0x0000000007DD8000-memory.dmp

Filesize
6.1MB

Download
memory/1208-1121-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/1208-1122-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/1208-1123-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/1208-1124-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1208-1126-0x0000000008280000-0x00000000082E6000-memory.dmp

Filesize
408KB

Download
memory/1208-1127-0x0000000008950000-0x00000000089E2000-memory.dmp

Filesize
584KB

Download
memory/1208-231-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-1129-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1208-1130-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1208-1131-0x0000000008A30000-0x0000000008AA6000-memory.dmp

Filesize
472KB

Download
memory/1208-1132-0x0000000008AB0000-0x0000000008B00000-memory.dmp

Filesize
320KB

Download
memory/1208-1133-0x0000000008C60000-0x0000000008E22000-memory.dmp

Filesize
1.8MB

Download
memory/1208-1134-0x0000000008E40000-0x000000000936C000-memory.dmp

Filesize
5.2MB

Download
memory/1208-1135-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1208-210-0x00000000047D0000-0x000000000481B000-memory.dmp

Filesize
300KB

Download
memory/1208-212-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1208-211-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1208-225-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-223-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-221-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-219-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-217-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-215-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1208-213-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1720-161-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/2168-1142-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/2168-1141-0x0000000000E80000-0x0000000000EB2000-memory.dmp

Filesize
200KB

Download