amadey | d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0

Analysis

max time kernel
144s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exe
Size

992KB
MD5

f699c6e1755d3790d4306e3a5303e275
SHA1

169bde7f45169cc763ec51326db2fb8624b3c97d
SHA256

d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0
SHA512

3bd19ffa69d560bbf75113baf9ff62f394575975d0de1b4aaec9ff4df4d59048410e512b69b7cbdcc81890c6fdbdd01be72da5f2e1a7965bbe018b434d5d4798
SSDEEP

24576:Ey1NL+xZxMom4By/WzPGcyypMnnm8GmqSzq0UaikD:T1Q5MxIGEClfqxa

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz1299.exev8359eu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1299.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1299.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v8359eu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v8359eu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v8359eu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz1299.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1299.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1299.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v8359eu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1299.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v8359eu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v8359eu.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1968-208-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-209-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-211-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-213-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-215-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-217-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-219-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-221-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-223-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-225-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-227-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-229-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-231-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-233-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-235-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-237-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-239-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-241-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/1968-449-0x0000000007180000-0x0000000007190000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y14dI75.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	y14dI75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap4895.exezap6092.exezap5933.exetz1299.exev8359eu.exew82YN94.exexSFjy49.exey14dI75.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
1272	zap4895.exe
4296	zap6092.exe
772	zap5933.exe
4656	tz1299.exe
2124	v8359eu.exe
1968	w82YN94.exe
5000	xSFjy49.exe
1908	y14dI75.exe
1448	oneetx.exe
984	oneetx.exe
368	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4756 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4756	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v8359eu.exetz1299.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v8359eu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1299.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v8359eu.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exezap4895.exezap6092.exezap5933.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap4895.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6092.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap6092.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5933.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap5933.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

456 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3056 2124 WerFault.exe v8359eu.exe
4852 1968 WerFault.exe w82YN94.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2564 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz1299.exev8359eu.exew82YN94.exexSFjy49.exe

pid process

4656 tz1299.exe
4656 tz1299.exe
2124 v8359eu.exe
2124 v8359eu.exe
1968 w82YN94.exe
1968 w82YN94.exe
5000 xSFjy49.exe
5000 xSFjy49.exe

pid	process
456	sc.exe

pid	pid_target	process	target process
3056	2124	WerFault.exe	v8359eu.exe
4852	1968	WerFault.exe	w82YN94.exe

pid	process
2564	schtasks.exe

pid	process
4656	tz1299.exe
4656	tz1299.exe
2124	v8359eu.exe
2124	v8359eu.exe
1968	w82YN94.exe
1968	w82YN94.exe
5000	xSFjy49.exe
5000	xSFjy49.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz1299.exev8359eu.exew82YN94.exexSFjy49.exe

description	pid	process
Token: SeDebugPrivilege	4656	tz1299.exe
Token: SeDebugPrivilege	2124	v8359eu.exe
Token: SeDebugPrivilege	1968	w82YN94.exe
Token: SeDebugPrivilege	5000	xSFjy49.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y14dI75.exe

pid process

1908 y14dI75.exe

pid	process
1908	y14dI75.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exezap4895.exezap6092.exezap5933.exey14dI75.exeoneetx.execmd.exe

description	pid	process	target process
PID 1344 wrote to memory of 1272	1344	d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exe	zap4895.exe
PID 1344 wrote to memory of 1272	1344	d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exe	zap4895.exe
PID 1344 wrote to memory of 1272	1344	d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exe	zap4895.exe
PID 1272 wrote to memory of 4296	1272	zap4895.exe	zap6092.exe
PID 1272 wrote to memory of 4296	1272	zap4895.exe	zap6092.exe
PID 1272 wrote to memory of 4296	1272	zap4895.exe	zap6092.exe
PID 4296 wrote to memory of 772	4296	zap6092.exe	zap5933.exe
PID 4296 wrote to memory of 772	4296	zap6092.exe	zap5933.exe
PID 4296 wrote to memory of 772	4296	zap6092.exe	zap5933.exe
PID 772 wrote to memory of 4656	772	zap5933.exe	tz1299.exe
PID 772 wrote to memory of 4656	772	zap5933.exe	tz1299.exe
PID 772 wrote to memory of 2124	772	zap5933.exe	v8359eu.exe
PID 772 wrote to memory of 2124	772	zap5933.exe	v8359eu.exe
PID 772 wrote to memory of 2124	772	zap5933.exe	v8359eu.exe
PID 4296 wrote to memory of 1968	4296	zap6092.exe	w82YN94.exe
PID 4296 wrote to memory of 1968	4296	zap6092.exe	w82YN94.exe
PID 4296 wrote to memory of 1968	4296	zap6092.exe	w82YN94.exe
PID 1272 wrote to memory of 5000	1272	zap4895.exe	xSFjy49.exe
PID 1272 wrote to memory of 5000	1272	zap4895.exe	xSFjy49.exe
PID 1272 wrote to memory of 5000	1272	zap4895.exe	xSFjy49.exe
PID 1344 wrote to memory of 1908	1344	d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exe	y14dI75.exe
PID 1344 wrote to memory of 1908	1344	d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exe	y14dI75.exe
PID 1344 wrote to memory of 1908	1344	d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exe	y14dI75.exe
PID 1908 wrote to memory of 1448	1908	y14dI75.exe	oneetx.exe
PID 1908 wrote to memory of 1448	1908	y14dI75.exe	oneetx.exe
PID 1908 wrote to memory of 1448	1908	y14dI75.exe	oneetx.exe
PID 1448 wrote to memory of 2564	1448	oneetx.exe	schtasks.exe
PID 1448 wrote to memory of 2564	1448	oneetx.exe	schtasks.exe
PID 1448 wrote to memory of 2564	1448	oneetx.exe	schtasks.exe
PID 1448 wrote to memory of 4388	1448	oneetx.exe	cmd.exe
PID 1448 wrote to memory of 4388	1448	oneetx.exe	cmd.exe
PID 1448 wrote to memory of 4388	1448	oneetx.exe	cmd.exe
PID 4388 wrote to memory of 4724	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 4724	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 4724	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 1632	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 1632	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 1632	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 768	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 768	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 768	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 3860	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 3860	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 3860	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 4572	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 4572	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 4572	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 1040	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 1040	4388	cmd.exe	cacls.exe
PID 4388 wrote to memory of 1040	4388	cmd.exe	cacls.exe
PID 1448 wrote to memory of 4756	1448	oneetx.exe	rundll32.exe
PID 1448 wrote to memory of 4756	1448	oneetx.exe	rundll32.exe
PID 1448 wrote to memory of 4756	1448	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exe
"C:\Users\Admin\AppData\Local\Temp\d28a63b36305ee7eb4272733c3f25d762bb419c48d39640d8934c7e902a2fbd0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4895.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4895.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6092.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6092.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5933.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5933.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1299.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1299.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8359eu.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8359eu.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1076
6⤵
- Program crash
PID:3056

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w82YN94.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w82YN94.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1472
5⤵
- Program crash
PID:4852

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSFjy49.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSFjy49.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y14dI75.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y14dI75.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4724

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:1632

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3860

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:4572

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:1040

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2124 -ip 2124
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1968 -ip 1968
1⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:984

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:368

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y14dI75.exe
Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y14dI75.exe
Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4895.exe
Filesize
808KB

MD5
3202a1e7209dd7afef39bec171216f61

SHA1
b08d91e25a5417f55fa7518a0d701bb9ed058af8

SHA256
ed7501c8a8e45c2a0709e096f53b0375130d1e6a8f77e1ae7fd5631a764ba385

SHA512
5a9922a27a616ddd379ee4b8a36955b1e390c4294492fbadd97af19ae35ac98afccb66f4f423ae28a380e1bd00f97dce35570e8101636876a00055d4aa1663d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4895.exe
Filesize
808KB

MD5
3202a1e7209dd7afef39bec171216f61

SHA1
b08d91e25a5417f55fa7518a0d701bb9ed058af8

SHA256
ed7501c8a8e45c2a0709e096f53b0375130d1e6a8f77e1ae7fd5631a764ba385

SHA512
5a9922a27a616ddd379ee4b8a36955b1e390c4294492fbadd97af19ae35ac98afccb66f4f423ae28a380e1bd00f97dce35570e8101636876a00055d4aa1663d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSFjy49.exe
Filesize
175KB

MD5
b8d663cbd4fa356d09422cbbf93a5481

SHA1
d2392e831a5f3fb890d47f4b936512422e9319fc

SHA256
2b211bebe2fe27b97354ec0ddf72aa80847f60d347803f8c3c98a199abd5620b

SHA512
34a4f17b895aa470c75664595ece267e41e911530db9a3054203a1c9f2fe15f615de433756f6bd0d8e1bcfd3d6026ec614be94ac835b01666d1f0b1e0de5f6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSFjy49.exe
Filesize
175KB

MD5
b8d663cbd4fa356d09422cbbf93a5481

SHA1
d2392e831a5f3fb890d47f4b936512422e9319fc

SHA256
2b211bebe2fe27b97354ec0ddf72aa80847f60d347803f8c3c98a199abd5620b

SHA512
34a4f17b895aa470c75664595ece267e41e911530db9a3054203a1c9f2fe15f615de433756f6bd0d8e1bcfd3d6026ec614be94ac835b01666d1f0b1e0de5f6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6092.exe
Filesize
666KB

MD5
f47d95f8ea47ea7a58b5527b1663e7ce

SHA1
84ad96a0e452f236ef35aad21e645b00a9f364db

SHA256
cad064657c5eb3ed5e4590910c821e6135fc88276502200e70a96146fb000c38

SHA512
c8af05f73e87dcf4623e90f2a7390df853e7740659d82863f14fc4c80b072b2312ef3c5dd7085cc6d3b4713b4261d434b8ecafae87a7c8abfaeed925cfaa3bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6092.exe
Filesize
666KB

MD5
f47d95f8ea47ea7a58b5527b1663e7ce

SHA1
84ad96a0e452f236ef35aad21e645b00a9f364db

SHA256
cad064657c5eb3ed5e4590910c821e6135fc88276502200e70a96146fb000c38

SHA512
c8af05f73e87dcf4623e90f2a7390df853e7740659d82863f14fc4c80b072b2312ef3c5dd7085cc6d3b4713b4261d434b8ecafae87a7c8abfaeed925cfaa3bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w82YN94.exe
Filesize
342KB

MD5
3cdbc83b1ce378945475f3f1e9caa439

SHA1
affc9f0813bf7cdabf06901cefbce195bab3238a

SHA256
e7aed8911f8a95c82b9c51033f282423b8c8bf8826f5212452b162466c11d84f

SHA512
68710f1dabd672004f920f0ee56f451d080c968b87d978231f6499e95f810173474ba1eeb04efaafb8a02feb4e9c7fa1e56c59c9151f3ac8462d489103e88ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w82YN94.exe
Filesize
342KB

MD5
3cdbc83b1ce378945475f3f1e9caa439

SHA1
affc9f0813bf7cdabf06901cefbce195bab3238a

SHA256
e7aed8911f8a95c82b9c51033f282423b8c8bf8826f5212452b162466c11d84f

SHA512
68710f1dabd672004f920f0ee56f451d080c968b87d978231f6499e95f810173474ba1eeb04efaafb8a02feb4e9c7fa1e56c59c9151f3ac8462d489103e88ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5933.exe
Filesize
329KB

MD5
1d61031c5d9f35930db15e7f1b5c9e91

SHA1
13dc9f5f19c4fcd2e00b634b83b7c3c1432a6545

SHA256
f831ef7520ff1f8ca6c81cd29b8b31d61a2aaa906eea8617d3153f74768dabf4

SHA512
57153c4b68f6c2a261d2e0be5f51df62ddf074c9e2e173db599703802d6b54b05e710fc93070e214773308f03866906bd4d974fb6235d5bec0cbedfc2f17d788

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5933.exe
Filesize
329KB

MD5
1d61031c5d9f35930db15e7f1b5c9e91

SHA1
13dc9f5f19c4fcd2e00b634b83b7c3c1432a6545

SHA256
f831ef7520ff1f8ca6c81cd29b8b31d61a2aaa906eea8617d3153f74768dabf4

SHA512
57153c4b68f6c2a261d2e0be5f51df62ddf074c9e2e173db599703802d6b54b05e710fc93070e214773308f03866906bd4d974fb6235d5bec0cbedfc2f17d788

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1299.exe
Filesize
12KB

MD5
5978a5b6fc6ab41bd0f6f263e2acbe5f

SHA1
441843c55fe99a524121841263f8f3c27ca119a9

SHA256
9eca899b5b5db27afa739ebc7c4ad26561a727909baf35a62099a08cf2754655

SHA512
d725dc60ae83339b69f53cc17b2cbdeef62d6326e67f86b7af5e2feb4651b56b775b191eced5f9e6423b5f27941b68d401a7169b167f0b166ed64895460206e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1299.exe
Filesize
12KB

MD5
5978a5b6fc6ab41bd0f6f263e2acbe5f

SHA1
441843c55fe99a524121841263f8f3c27ca119a9

SHA256
9eca899b5b5db27afa739ebc7c4ad26561a727909baf35a62099a08cf2754655

SHA512
d725dc60ae83339b69f53cc17b2cbdeef62d6326e67f86b7af5e2feb4651b56b775b191eced5f9e6423b5f27941b68d401a7169b167f0b166ed64895460206e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8359eu.exe
Filesize
284KB

MD5
e9ef4a8ffbc27c7d02010273bc8fa96d

SHA1
3e0fcf89147a77cb959cc1cf1db60d244c05b9b4

SHA256
24d7b7fe2504cfbbe99b8389866c9f1064d90a675a43650b59c5f95bc514e770

SHA512
e201801d08e87bb9ae2a14e0c59ce25d8099bec040fb39d3ced2c20a590040fdaaa579d35b3515f1c4d492977e3a5ff5b903c35d04f97051ec451d240d359138

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8359eu.exe
Filesize
284KB

MD5
e9ef4a8ffbc27c7d02010273bc8fa96d

SHA1
3e0fcf89147a77cb959cc1cf1db60d244c05b9b4

SHA256
24d7b7fe2504cfbbe99b8389866c9f1064d90a675a43650b59c5f95bc514e770

SHA512
e201801d08e87bb9ae2a14e0c59ce25d8099bec040fb39d3ced2c20a590040fdaaa579d35b3515f1c4d492977e3a5ff5b903c35d04f97051ec451d240d359138

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
2fa69c60afa1edaf94cf260aefdeac71

SHA1
0ba27832d70d9cc813bb859081cd6ade8164238f

SHA256
e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec

SHA512
636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1968-1124-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/1968-446-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1968-1132-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1968-1131-0x00000000090C0000-0x00000000095EC000-memory.dmp

Filesize
5.2MB

Download
memory/1968-1130-0x0000000008EB0000-0x0000000009072000-memory.dmp

Filesize
1.8MB

Download
memory/1968-1129-0x0000000008E50000-0x0000000008EA0000-memory.dmp

Filesize
320KB

Download
memory/1968-1128-0x0000000008DD0000-0x0000000008E46000-memory.dmp

Filesize
472KB

Download
memory/1968-1127-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1968-1126-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1968-1125-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/1968-1122-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1968-208-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-209-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-211-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-213-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-215-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-217-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-219-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-221-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-223-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-225-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-227-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-229-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-231-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-233-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-235-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-237-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-239-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-241-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/1968-445-0x00000000046F0000-0x000000000473B000-memory.dmp

Filesize
300KB

Download
memory/1968-449-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1968-1121-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/1968-450-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1968-1118-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/1968-1119-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/1968-1120-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/2124-183-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-189-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-193-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-167-0x0000000007140000-0x00000000076E4000-memory.dmp

Filesize
5.6MB

Download
memory/2124-203-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/2124-201-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/2124-200-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/2124-199-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/2124-198-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/2124-197-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-195-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-185-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-168-0x0000000002C10000-0x0000000002C3D000-memory.dmp

Filesize
180KB

Download
memory/2124-187-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-191-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-181-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-179-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-177-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-175-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-171-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-173-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-170-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2124-169-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/4656-161-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/5000-1139-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/5000-1138-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download