amadey | 1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096

Analysis

max time kernel
123s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exe
Size

990KB
MD5

2db3436d162e2b8238327555ae080c05
SHA1

0c9229c08a889e3770ab36266478243e3eb0d937
SHA256

1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096
SHA512

4f2dda87816e4ea1dd9da603ba643f3024d1f506ced19682083b9143d42e898a8a97080f3a55d7e309f7a6ccce904974e29528e4c9ed8200ee14e41fa1166ae4
SSDEEP

24576:cyJbwbiNMcb9tuku5EDjbPWBxtizr2xOm6cZRbGYkCYaFfT:LLbtukUEDPPYiryH6cRbx

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v9120RJ.exetz2108.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v9120RJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v9120RJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v9120RJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v9120RJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v9120RJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v9120RJ.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1944-210-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-211-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-213-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-218-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-217-0x00000000072E0000-0x00000000072F0000-memory.dmp	family_redline
behavioral1/memory/1944-221-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-223-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-225-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-227-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-229-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-233-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-231-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-235-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-237-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-239-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-241-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-243-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-245-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/1944-247-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y80WB13.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y80WB13.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

zap9079.exezap6936.exezap8177.exetz2108.exev9120RJ.exew97eN04.exexpWGH56.exey80WB13.exeoneetx.exeoneetx.exe

pid	process
2728	zap9079.exe
4808	zap6936.exe
1788	zap8177.exe
1540	tz2108.exe
1228	v9120RJ.exe
1944	w97eN04.exe
3732	xpWGH56.exe
1608	y80WB13.exe
4064	oneetx.exe
1952	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2828 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2828	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz2108.exev9120RJ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2108.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v9120RJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v9120RJ.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap9079.exezap6936.exezap8177.exe1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9079.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6936.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap6936.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8177.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8177.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3712 1944 WerFault.exe w97eN04.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4144 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz2108.exev9120RJ.exew97eN04.exexpWGH56.exe

pid process

1540 tz2108.exe
1540 tz2108.exe
1228 v9120RJ.exe
1228 v9120RJ.exe
1944 w97eN04.exe
1944 w97eN04.exe
3732 xpWGH56.exe
3732 xpWGH56.exe

pid	pid_target	process	target process
3712	1944	WerFault.exe	w97eN04.exe

pid	process
4144	schtasks.exe

pid	process
1540	tz2108.exe
1540	tz2108.exe
1228	v9120RJ.exe
1228	v9120RJ.exe
1944	w97eN04.exe
1944	w97eN04.exe
3732	xpWGH56.exe
3732	xpWGH56.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz2108.exev9120RJ.exew97eN04.exexpWGH56.exe

description	pid	process
Token: SeDebugPrivilege	1540	tz2108.exe
Token: SeDebugPrivilege	1228	v9120RJ.exe
Token: SeDebugPrivilege	1944	w97eN04.exe
Token: SeDebugPrivilege	3732	xpWGH56.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y80WB13.exe

pid process

1608 y80WB13.exe

pid	process
1608	y80WB13.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exezap9079.exezap6936.exezap8177.exey80WB13.exeoneetx.execmd.exe

description	pid	process	target process
PID 5056 wrote to memory of 2728	5056	1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exe	zap9079.exe
PID 5056 wrote to memory of 2728	5056	1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exe	zap9079.exe
PID 5056 wrote to memory of 2728	5056	1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exe	zap9079.exe
PID 2728 wrote to memory of 4808	2728	zap9079.exe	zap6936.exe
PID 2728 wrote to memory of 4808	2728	zap9079.exe	zap6936.exe
PID 2728 wrote to memory of 4808	2728	zap9079.exe	zap6936.exe
PID 4808 wrote to memory of 1788	4808	zap6936.exe	zap8177.exe
PID 4808 wrote to memory of 1788	4808	zap6936.exe	zap8177.exe
PID 4808 wrote to memory of 1788	4808	zap6936.exe	zap8177.exe
PID 1788 wrote to memory of 1540	1788	zap8177.exe	tz2108.exe
PID 1788 wrote to memory of 1540	1788	zap8177.exe	tz2108.exe
PID 1788 wrote to memory of 1228	1788	zap8177.exe	v9120RJ.exe
PID 1788 wrote to memory of 1228	1788	zap8177.exe	v9120RJ.exe
PID 1788 wrote to memory of 1228	1788	zap8177.exe	v9120RJ.exe
PID 4808 wrote to memory of 1944	4808	zap6936.exe	w97eN04.exe
PID 4808 wrote to memory of 1944	4808	zap6936.exe	w97eN04.exe
PID 4808 wrote to memory of 1944	4808	zap6936.exe	w97eN04.exe
PID 2728 wrote to memory of 3732	2728	zap9079.exe	xpWGH56.exe
PID 2728 wrote to memory of 3732	2728	zap9079.exe	xpWGH56.exe
PID 2728 wrote to memory of 3732	2728	zap9079.exe	xpWGH56.exe
PID 5056 wrote to memory of 1608	5056	1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exe	y80WB13.exe
PID 5056 wrote to memory of 1608	5056	1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exe	y80WB13.exe
PID 5056 wrote to memory of 1608	5056	1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exe	y80WB13.exe
PID 1608 wrote to memory of 4064	1608	y80WB13.exe	oneetx.exe
PID 1608 wrote to memory of 4064	1608	y80WB13.exe	oneetx.exe
PID 1608 wrote to memory of 4064	1608	y80WB13.exe	oneetx.exe
PID 4064 wrote to memory of 4144	4064	oneetx.exe	schtasks.exe
PID 4064 wrote to memory of 4144	4064	oneetx.exe	schtasks.exe
PID 4064 wrote to memory of 4144	4064	oneetx.exe	schtasks.exe
PID 4064 wrote to memory of 2240	4064	oneetx.exe	cmd.exe
PID 4064 wrote to memory of 2240	4064	oneetx.exe	cmd.exe
PID 4064 wrote to memory of 2240	4064	oneetx.exe	cmd.exe
PID 2240 wrote to memory of 3284	2240	cmd.exe	cmd.exe
PID 2240 wrote to memory of 3284	2240	cmd.exe	cmd.exe
PID 2240 wrote to memory of 3284	2240	cmd.exe	cmd.exe
PID 2240 wrote to memory of 400	2240	cmd.exe	cacls.exe
PID 2240 wrote to memory of 400	2240	cmd.exe	cacls.exe
PID 2240 wrote to memory of 400	2240	cmd.exe	cacls.exe
PID 2240 wrote to memory of 2356	2240	cmd.exe	cacls.exe
PID 2240 wrote to memory of 2356	2240	cmd.exe	cacls.exe
PID 2240 wrote to memory of 2356	2240	cmd.exe	cacls.exe
PID 2240 wrote to memory of 5104	2240	cmd.exe	cmd.exe
PID 2240 wrote to memory of 5104	2240	cmd.exe	cmd.exe
PID 2240 wrote to memory of 5104	2240	cmd.exe	cmd.exe
PID 2240 wrote to memory of 4964	2240	cmd.exe	cacls.exe
PID 2240 wrote to memory of 4964	2240	cmd.exe	cacls.exe
PID 2240 wrote to memory of 4964	2240	cmd.exe	cacls.exe
PID 2240 wrote to memory of 2372	2240	cmd.exe	cacls.exe
PID 2240 wrote to memory of 2372	2240	cmd.exe	cacls.exe
PID 2240 wrote to memory of 2372	2240	cmd.exe	cacls.exe
PID 4064 wrote to memory of 2828	4064	oneetx.exe	rundll32.exe
PID 4064 wrote to memory of 2828	4064	oneetx.exe	rundll32.exe
PID 4064 wrote to memory of 2828	4064	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exe
"C:\Users\Admin\AppData\Local\Temp\1d9d8753c05b3e56276fca968fb9fcc347c74766c48671cad5eb51e77955c096.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9079.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9079.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6936.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6936.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8177.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8177.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2108.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2108.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9120RJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9120RJ.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w97eN04.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w97eN04.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1352
5⤵
- Program crash
PID:3712

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xpWGH56.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xpWGH56.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y80WB13.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y80WB13.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:4144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3284

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:400

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5104

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:4964

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:2372

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1944 -ip 1944
1⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y80WB13.exe
Filesize
236KB

MD5
b5b6e1eeb6b12a63b5c8a9e5bd46661b

SHA1
ff5623ae8683e77a0e6d1fa97b88bab91ee8aad7

SHA256
05c1f00b2c48ddd9116f08d8603620bca3b08309a1463b6dfa79fbeebb278425

SHA512
efa135344acfb5582cb411abaee4cb55914f1e6860aa616bd75ccaa53515b9f835ca88d513345243ad1a89f8f053792694df5a882eefccc2d63f8ea7ffc694ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y80WB13.exe
Filesize
236KB

MD5
b5b6e1eeb6b12a63b5c8a9e5bd46661b

SHA1
ff5623ae8683e77a0e6d1fa97b88bab91ee8aad7

SHA256
05c1f00b2c48ddd9116f08d8603620bca3b08309a1463b6dfa79fbeebb278425

SHA512
efa135344acfb5582cb411abaee4cb55914f1e6860aa616bd75ccaa53515b9f835ca88d513345243ad1a89f8f053792694df5a882eefccc2d63f8ea7ffc694ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9079.exe
Filesize
806KB

MD5
09bbc6a1295f51719740ce96a5be0bc1

SHA1
ed900d18f39129f0122c6e0c2352e2d85309d315

SHA256
3a30741ea2d1f6e0d7414f75963ad17fda218f84dbbc2d4614612d0d3628ad86

SHA512
88a7b0656b0fb7fc11b61f7133dd3d33b899dd49fafbb67fd84290a55f7654998202431a9d4b44059899f364b7ff17986f8a842199dc310b78d79c9018350159

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9079.exe
Filesize
806KB

MD5
09bbc6a1295f51719740ce96a5be0bc1

SHA1
ed900d18f39129f0122c6e0c2352e2d85309d315

SHA256
3a30741ea2d1f6e0d7414f75963ad17fda218f84dbbc2d4614612d0d3628ad86

SHA512
88a7b0656b0fb7fc11b61f7133dd3d33b899dd49fafbb67fd84290a55f7654998202431a9d4b44059899f364b7ff17986f8a842199dc310b78d79c9018350159

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xpWGH56.exe
Filesize
175KB

MD5
813c2eb4005dc7f436f699615c0f90b2

SHA1
04951e87beaf104837453b0b49ab838f16a3b821

SHA256
a28bca0508a83546ca454aa55623941c1f50fd25d3d07719346dd8eb78cd729e

SHA512
5c99781faa97fe2d592b3ab036664b52919e21ff8652b1be45d2f12217d5c6b442c33a688c464d1936a607aeeefb4aae662e3b6e5b77ed637c05770f95a3ec97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xpWGH56.exe
Filesize
175KB

MD5
813c2eb4005dc7f436f699615c0f90b2

SHA1
04951e87beaf104837453b0b49ab838f16a3b821

SHA256
a28bca0508a83546ca454aa55623941c1f50fd25d3d07719346dd8eb78cd729e

SHA512
5c99781faa97fe2d592b3ab036664b52919e21ff8652b1be45d2f12217d5c6b442c33a688c464d1936a607aeeefb4aae662e3b6e5b77ed637c05770f95a3ec97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6936.exe
Filesize
664KB

MD5
e97e16e540873fa0a0f23559ca9fa803

SHA1
c196cd26c05dd6002044f2db92a8db134483778a

SHA256
5b02d31e933c62d859303a9bab3b7a2af19f50f54bf6c93cd4858d4d3b097355

SHA512
0a6efca616faf8ed60579b1ec6cfafa1d0a297c977ce59c7d92fde9713564cdbc69ea216b90a93ea821331edc79e63616600eeebf4ca97a20f2452ac5631c05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6936.exe
Filesize
664KB

MD5
e97e16e540873fa0a0f23559ca9fa803

SHA1
c196cd26c05dd6002044f2db92a8db134483778a

SHA256
5b02d31e933c62d859303a9bab3b7a2af19f50f54bf6c93cd4858d4d3b097355

SHA512
0a6efca616faf8ed60579b1ec6cfafa1d0a297c977ce59c7d92fde9713564cdbc69ea216b90a93ea821331edc79e63616600eeebf4ca97a20f2452ac5631c05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w97eN04.exe
Filesize
342KB

MD5
f7d84202be679f0d5f7c3a6f6df31464

SHA1
19ee9d0f52e847acb7281e981ec2484f37805d8f

SHA256
215844642a7a976ba4adc0c68dd984d2e7e179b7a6bec03dac78fe8a489a1fe1

SHA512
6273739850e11663022f091ea41005f0de9edc16223016f7c6aaa8113eb7c463809099e01197688411eab0a0e5f48c8e3cc97d801c99df0bfbae54141ec2abfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w97eN04.exe
Filesize
342KB

MD5
f7d84202be679f0d5f7c3a6f6df31464

SHA1
19ee9d0f52e847acb7281e981ec2484f37805d8f

SHA256
215844642a7a976ba4adc0c68dd984d2e7e179b7a6bec03dac78fe8a489a1fe1

SHA512
6273739850e11663022f091ea41005f0de9edc16223016f7c6aaa8113eb7c463809099e01197688411eab0a0e5f48c8e3cc97d801c99df0bfbae54141ec2abfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8177.exe
Filesize
329KB

MD5
0ee72e8a161669b976d6f50ee676104c

SHA1
fd507f760f6f484828a63fcf0600d39e2fbf8cf4

SHA256
55a239645bd4f2d2974d8e34e84e6e9ad38154ef1a450be48c11885b647cefb0

SHA512
cc4cc04113573a14d5d6daf6e94054bc8cd0a56d5a9d5f5c3d0fa8bfde8ba0e9e1e163a728abdf00e8b3827291c18885c4b87a47f1b14f88ee21f3017d6f6b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8177.exe
Filesize
329KB

MD5
0ee72e8a161669b976d6f50ee676104c

SHA1
fd507f760f6f484828a63fcf0600d39e2fbf8cf4

SHA256
55a239645bd4f2d2974d8e34e84e6e9ad38154ef1a450be48c11885b647cefb0

SHA512
cc4cc04113573a14d5d6daf6e94054bc8cd0a56d5a9d5f5c3d0fa8bfde8ba0e9e1e163a728abdf00e8b3827291c18885c4b87a47f1b14f88ee21f3017d6f6b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2108.exe
Filesize
12KB

MD5
89d1702d4299b62a19781938a05390ae

SHA1
925a6d021d51a4286d559e5b8935e8a3f09dfed3

SHA256
3c22bb838f62e7380df4df60a07dc61591964b26c9eb7ac7ca7a31000b9fe9a6

SHA512
58a4e3c17fe8b5c263764ee04edbce08a28d777ff5fbef0af8a0ec3118782da452f11020237e72f09f29b631fe0de915facd51518bf6abea54ddd3de545db082

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2108.exe
Filesize
12KB

MD5
89d1702d4299b62a19781938a05390ae

SHA1
925a6d021d51a4286d559e5b8935e8a3f09dfed3

SHA256
3c22bb838f62e7380df4df60a07dc61591964b26c9eb7ac7ca7a31000b9fe9a6

SHA512
58a4e3c17fe8b5c263764ee04edbce08a28d777ff5fbef0af8a0ec3118782da452f11020237e72f09f29b631fe0de915facd51518bf6abea54ddd3de545db082

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9120RJ.exe
Filesize
284KB

MD5
70d0a3bb5c83b74148e9a06dbd8823cf

SHA1
f19f91868bf6cf28505b3c73c1bc8d9f2f35c956

SHA256
444f27c5fc3b9e46111d861cadbe4fc9e557fa43a5de6def6fc4ba9a3c8ffeaa

SHA512
1e9f40749937544aba6e710c4affb6b87f615ecc8bced18315914ba3ab8df4c0597a7b4e59e57a9441f063d0361a67c42a6d87e75263b96bdcd4e45a55002502

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9120RJ.exe
Filesize
284KB

MD5
70d0a3bb5c83b74148e9a06dbd8823cf

SHA1
f19f91868bf6cf28505b3c73c1bc8d9f2f35c956

SHA256
444f27c5fc3b9e46111d861cadbe4fc9e557fa43a5de6def6fc4ba9a3c8ffeaa

SHA512
1e9f40749937544aba6e710c4affb6b87f615ecc8bced18315914ba3ab8df4c0597a7b4e59e57a9441f063d0361a67c42a6d87e75263b96bdcd4e45a55002502

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
b5b6e1eeb6b12a63b5c8a9e5bd46661b

SHA1
ff5623ae8683e77a0e6d1fa97b88bab91ee8aad7

SHA256
05c1f00b2c48ddd9116f08d8603620bca3b08309a1463b6dfa79fbeebb278425

SHA512
efa135344acfb5582cb411abaee4cb55914f1e6860aa616bd75ccaa53515b9f835ca88d513345243ad1a89f8f053792694df5a882eefccc2d63f8ea7ffc694ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
b5b6e1eeb6b12a63b5c8a9e5bd46661b

SHA1
ff5623ae8683e77a0e6d1fa97b88bab91ee8aad7

SHA256
05c1f00b2c48ddd9116f08d8603620bca3b08309a1463b6dfa79fbeebb278425

SHA512
efa135344acfb5582cb411abaee4cb55914f1e6860aa616bd75ccaa53515b9f835ca88d513345243ad1a89f8f053792694df5a882eefccc2d63f8ea7ffc694ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
b5b6e1eeb6b12a63b5c8a9e5bd46661b

SHA1
ff5623ae8683e77a0e6d1fa97b88bab91ee8aad7

SHA256
05c1f00b2c48ddd9116f08d8603620bca3b08309a1463b6dfa79fbeebb278425

SHA512
efa135344acfb5582cb411abaee4cb55914f1e6860aa616bd75ccaa53515b9f835ca88d513345243ad1a89f8f053792694df5a882eefccc2d63f8ea7ffc694ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
b5b6e1eeb6b12a63b5c8a9e5bd46661b

SHA1
ff5623ae8683e77a0e6d1fa97b88bab91ee8aad7

SHA256
05c1f00b2c48ddd9116f08d8603620bca3b08309a1463b6dfa79fbeebb278425

SHA512
efa135344acfb5582cb411abaee4cb55914f1e6860aa616bd75ccaa53515b9f835ca88d513345243ad1a89f8f053792694df5a882eefccc2d63f8ea7ffc694ad

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1228-187-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-175-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-191-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-193-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-195-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-197-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-198-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1228-199-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1228-200-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/1228-201-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1228-203-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1228-204-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1228-205-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/1228-167-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

Filesize
180KB

Download
memory/1228-185-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-183-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-181-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-179-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-177-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-189-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-173-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-171-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-170-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-169-0x0000000007290000-0x0000000007834000-memory.dmp

Filesize
5.6MB

Download
memory/1228-168-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1540-161-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/1944-217-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1944-1131-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1944-231-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-235-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-237-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-239-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-241-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-243-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-245-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-247-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-1120-0x00000000079A0000-0x0000000007FB8000-memory.dmp

Filesize
6.1MB

Download
memory/1944-1121-0x0000000007FC0000-0x00000000080CA000-memory.dmp

Filesize
1.0MB

Download
memory/1944-1122-0x00000000072C0000-0x00000000072D2000-memory.dmp

Filesize
72KB

Download
memory/1944-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/1944-1124-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1944-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/1944-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/1944-1128-0x0000000008B80000-0x0000000008D42000-memory.dmp

Filesize
1.8MB

Download
memory/1944-1129-0x0000000008D50000-0x000000000927C000-memory.dmp

Filesize
5.2MB

Download
memory/1944-233-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-1130-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1944-1132-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1944-1133-0x00000000095F0000-0x0000000009666000-memory.dmp

Filesize
472KB

Download
memory/1944-1134-0x0000000009680000-0x00000000096D0000-memory.dmp

Filesize
320KB

Download
memory/1944-1135-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1944-229-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-227-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-210-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-211-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-213-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-225-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-219-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1944-223-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-221-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-218-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/1944-216-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1944-214-0x0000000002D10000-0x0000000002D5B000-memory.dmp

Filesize
300KB

Download
memory/3732-1143-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/3732-1142-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/3732-1141-0x0000000000B80000-0x0000000000BB2000-memory.dmp

Filesize
200KB

Download