amadey | 89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630

Analysis

max time kernel
119s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exe
Size

992KB
MD5

f332fdc222ed1c2967b69a383ee3129f
SHA1

19536bef03f76ee00188bdd4af215b9100442c41
SHA256

89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630
SHA512

c01328d999b944727fb9bac4490115d9d1991d5c23e9b2a5b1025e560a62d0ae393cd13e1c0fff3a95e4ab9e232cd34bcdd447fb25e0c4320524d74f85dccb01
SSDEEP

24576:ayv2F7IT5ZTCN/qzHbIFdKLsV5F0S4oHm+nbV36m7YLHR:hv2FKr+NUoxR4oGwpKz

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v5028vQ.exetz1254.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5028vQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5028vQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5028vQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz1254.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1254.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1254.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v5028vQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5028vQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5028vQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1254.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1254.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1254.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/444-210-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-213-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-211-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-217-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-223-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-221-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-225-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-227-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-229-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-231-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-233-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-235-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-237-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-239-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-241-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-243-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-245-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/444-247-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y79Dm09.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	y79Dm09.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

zap6542.exezap6016.exezap1506.exetz1254.exev5028vQ.exew80PS95.exexXwGC62.exey79Dm09.exeoneetx.exeoneetx.exe

pid	process
4700	zap6542.exe
4920	zap6016.exe
2196	zap1506.exe
3776	tz1254.exe
3632	v5028vQ.exe
444	w80PS95.exe
4384	xXwGC62.exe
2336	y79Dm09.exe
1888	oneetx.exe
2516	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3080 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3080	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz1254.exev5028vQ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1254.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5028vQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5028vQ.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap1506.exe89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exezap6542.exezap6016.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1506.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6542.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6542.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6016.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap6016.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1506.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4332 3632 WerFault.exe v5028vQ.exe
2820 444 WerFault.exe w80PS95.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2088 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz1254.exev5028vQ.exew80PS95.exexXwGC62.exe

pid process

3776 tz1254.exe
3776 tz1254.exe
3632 v5028vQ.exe
3632 v5028vQ.exe
444 w80PS95.exe
444 w80PS95.exe
4384 xXwGC62.exe
4384 xXwGC62.exe

pid	pid_target	process	target process
4332	3632	WerFault.exe	v5028vQ.exe
2820	444	WerFault.exe	w80PS95.exe

pid	process
2088	schtasks.exe

pid	process
3776	tz1254.exe
3776	tz1254.exe
3632	v5028vQ.exe
3632	v5028vQ.exe
444	w80PS95.exe
444	w80PS95.exe
4384	xXwGC62.exe
4384	xXwGC62.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz1254.exev5028vQ.exew80PS95.exexXwGC62.exe

description	pid	process
Token: SeDebugPrivilege	3776	tz1254.exe
Token: SeDebugPrivilege	3632	v5028vQ.exe
Token: SeDebugPrivilege	444	w80PS95.exe
Token: SeDebugPrivilege	4384	xXwGC62.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y79Dm09.exe

pid process

2336 y79Dm09.exe

pid	process
2336	y79Dm09.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exezap6542.exezap6016.exezap1506.exey79Dm09.exeoneetx.execmd.exe

description	pid	process	target process
PID 776 wrote to memory of 4700	776	89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exe	zap6542.exe
PID 776 wrote to memory of 4700	776	89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exe	zap6542.exe
PID 776 wrote to memory of 4700	776	89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exe	zap6542.exe
PID 4700 wrote to memory of 4920	4700	zap6542.exe	zap6016.exe
PID 4700 wrote to memory of 4920	4700	zap6542.exe	zap6016.exe
PID 4700 wrote to memory of 4920	4700	zap6542.exe	zap6016.exe
PID 4920 wrote to memory of 2196	4920	zap6016.exe	zap1506.exe
PID 4920 wrote to memory of 2196	4920	zap6016.exe	zap1506.exe
PID 4920 wrote to memory of 2196	4920	zap6016.exe	zap1506.exe
PID 2196 wrote to memory of 3776	2196	zap1506.exe	tz1254.exe
PID 2196 wrote to memory of 3776	2196	zap1506.exe	tz1254.exe
PID 2196 wrote to memory of 3632	2196	zap1506.exe	v5028vQ.exe
PID 2196 wrote to memory of 3632	2196	zap1506.exe	v5028vQ.exe
PID 2196 wrote to memory of 3632	2196	zap1506.exe	v5028vQ.exe
PID 4920 wrote to memory of 444	4920	zap6016.exe	w80PS95.exe
PID 4920 wrote to memory of 444	4920	zap6016.exe	w80PS95.exe
PID 4920 wrote to memory of 444	4920	zap6016.exe	w80PS95.exe
PID 4700 wrote to memory of 4384	4700	zap6542.exe	xXwGC62.exe
PID 4700 wrote to memory of 4384	4700	zap6542.exe	xXwGC62.exe
PID 4700 wrote to memory of 4384	4700	zap6542.exe	xXwGC62.exe
PID 776 wrote to memory of 2336	776	89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exe	y79Dm09.exe
PID 776 wrote to memory of 2336	776	89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exe	y79Dm09.exe
PID 776 wrote to memory of 2336	776	89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exe	y79Dm09.exe
PID 2336 wrote to memory of 1888	2336	y79Dm09.exe	oneetx.exe
PID 2336 wrote to memory of 1888	2336	y79Dm09.exe	oneetx.exe
PID 2336 wrote to memory of 1888	2336	y79Dm09.exe	oneetx.exe
PID 1888 wrote to memory of 2088	1888	oneetx.exe	schtasks.exe
PID 1888 wrote to memory of 2088	1888	oneetx.exe	schtasks.exe
PID 1888 wrote to memory of 2088	1888	oneetx.exe	schtasks.exe
PID 1888 wrote to memory of 2940	1888	oneetx.exe	cmd.exe
PID 1888 wrote to memory of 2940	1888	oneetx.exe	cmd.exe
PID 1888 wrote to memory of 2940	1888	oneetx.exe	cmd.exe
PID 2940 wrote to memory of 4444	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 4444	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 4444	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 1644	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 1644	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 1644	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 3468	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 3468	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 3468	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 2684	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 2684	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 2684	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 4568	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 4568	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 4568	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 4248	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 4248	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 4248	2940	cmd.exe	cacls.exe
PID 1888 wrote to memory of 3080	1888	oneetx.exe	rundll32.exe
PID 1888 wrote to memory of 3080	1888	oneetx.exe	rundll32.exe
PID 1888 wrote to memory of 3080	1888	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exe
"C:\Users\Admin\AppData\Local\Temp\89278145295ffa4eb0ebfe5e0589241b57892e4946718b72ee3215f614314630.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6542.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6542.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4700

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6016.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6016.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1506.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1506.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1254.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1254.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5028vQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5028vQ.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1028
6⤵
- Program crash
PID:4332

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80PS95.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80PS95.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1336
5⤵
- Program crash
PID:2820

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXwGC62.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXwGC62.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y79Dm09.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y79Dm09.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4444

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:1644

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2684

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:4568

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:4248

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3632 -ip 3632
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 444 -ip 444
1⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y79Dm09.exe
Filesize
236KB

MD5
899577b7c46af3baada63a665659a11c

SHA1
cc78fb7dabd2aa760236e47a760527f759833852

SHA256
ef65048b4a267e1d8bfd6b29093ce8286acfb80320e6cc2a8fc23c4fdee93248

SHA512
bd68f2347ffc3b17013ae4e6039bfb2d68ce5605d46b5f87b583d67183a29b48b32521f53477f85c25f09a9ebc41b8588104a72af2b3490fc197bbead0dbc683

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y79Dm09.exe
Filesize
236KB

MD5
899577b7c46af3baada63a665659a11c

SHA1
cc78fb7dabd2aa760236e47a760527f759833852

SHA256
ef65048b4a267e1d8bfd6b29093ce8286acfb80320e6cc2a8fc23c4fdee93248

SHA512
bd68f2347ffc3b17013ae4e6039bfb2d68ce5605d46b5f87b583d67183a29b48b32521f53477f85c25f09a9ebc41b8588104a72af2b3490fc197bbead0dbc683

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6542.exe
Filesize
808KB

MD5
77ac7834dbd58e5a9f89cc4a903e9141

SHA1
0de157e4da45b39488447a8b5425d58b98cd328f

SHA256
aa4c5c6c49433bb4fca2c1d7bab74044b9f85ecde9fb50f7774c2f55fbda40dc

SHA512
380cc11217fa793670ddbbb7ae56036b91c3ec0653d5ddaeb3e2445fd0f0095ce8d50e5a8e73a0b9cd0f1f023533dc97c518c00cd3035b291a6338c8f0de9ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6542.exe
Filesize
808KB

MD5
77ac7834dbd58e5a9f89cc4a903e9141

SHA1
0de157e4da45b39488447a8b5425d58b98cd328f

SHA256
aa4c5c6c49433bb4fca2c1d7bab74044b9f85ecde9fb50f7774c2f55fbda40dc

SHA512
380cc11217fa793670ddbbb7ae56036b91c3ec0653d5ddaeb3e2445fd0f0095ce8d50e5a8e73a0b9cd0f1f023533dc97c518c00cd3035b291a6338c8f0de9ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXwGC62.exe
Filesize
175KB

MD5
cc5a40550dc096c92e8932ec0a3d18f4

SHA1
05139f6c3cdf0e54f31d7473259d4d8f8fa8e4e7

SHA256
c67cccfe50765bdffca3622279e7678af9d70d67fedaed08246c9629a9f6c7dd

SHA512
feed4df002d6a330b5322f8ab90adc51b6c6a7bbc462dbb77831b82a67c91d2ec5b0cf7917dcef8f41a8beb2aff39232ec4980cec1c5e0f6e743c382f91735c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXwGC62.exe
Filesize
175KB

MD5
cc5a40550dc096c92e8932ec0a3d18f4

SHA1
05139f6c3cdf0e54f31d7473259d4d8f8fa8e4e7

SHA256
c67cccfe50765bdffca3622279e7678af9d70d67fedaed08246c9629a9f6c7dd

SHA512
feed4df002d6a330b5322f8ab90adc51b6c6a7bbc462dbb77831b82a67c91d2ec5b0cf7917dcef8f41a8beb2aff39232ec4980cec1c5e0f6e743c382f91735c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6016.exe
Filesize
666KB

MD5
b6f7df5467a96dd95571564ae8b579b5

SHA1
b53bbf2e7a7a09137737c359cc8a2825ad81fdba

SHA256
71fa762822ee1ddb38ac9031db44efcb31a3d367a007b60866d68c4d93902611

SHA512
826f42a8d78e8af9bc8f161165962c3ee626f966bd3efd8cbc0732769204c4fcb48a09c71474486289dcd256913a151bc9104522d6a982e0cb9bdde1145497d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6016.exe
Filesize
666KB

MD5
b6f7df5467a96dd95571564ae8b579b5

SHA1
b53bbf2e7a7a09137737c359cc8a2825ad81fdba

SHA256
71fa762822ee1ddb38ac9031db44efcb31a3d367a007b60866d68c4d93902611

SHA512
826f42a8d78e8af9bc8f161165962c3ee626f966bd3efd8cbc0732769204c4fcb48a09c71474486289dcd256913a151bc9104522d6a982e0cb9bdde1145497d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80PS95.exe
Filesize
342KB

MD5
f326aa272739c3014761b33ffdaedbd5

SHA1
ff355ffd1f7f4eecdc7ba764806c9440d3adfd40

SHA256
c32021ebe2ceccf4e948c62cbb36ca4c76897114d683198c1514f8e8c99b21f7

SHA512
ddc1478a85c3cf256032d3577f5ee22e1200bcababe26ad4a168f7a6b9ebaa41a0b3e609aa66fbc6a48b93aedaa3133406d7234ad08a1c7cd88278f2e44fcd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80PS95.exe
Filesize
342KB

MD5
f326aa272739c3014761b33ffdaedbd5

SHA1
ff355ffd1f7f4eecdc7ba764806c9440d3adfd40

SHA256
c32021ebe2ceccf4e948c62cbb36ca4c76897114d683198c1514f8e8c99b21f7

SHA512
ddc1478a85c3cf256032d3577f5ee22e1200bcababe26ad4a168f7a6b9ebaa41a0b3e609aa66fbc6a48b93aedaa3133406d7234ad08a1c7cd88278f2e44fcd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1506.exe
Filesize
329KB

MD5
a21a90b3701da48f4cc1b2ff5b90ba59

SHA1
02997242b480bb041cd0fe65c605fc1557b48998

SHA256
33827d1ea5e9973f23f14d4ff02d0b5356627a7ab187f1397628e69aef3af300

SHA512
a889656bfd32cc10989591a337bbeb83209e575c67cca61af6cfa65a00ee61dbd0d64f668731326d61aceeec89613370adba89b2ed7338baa4c0785b7c698053

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1506.exe
Filesize
329KB

MD5
a21a90b3701da48f4cc1b2ff5b90ba59

SHA1
02997242b480bb041cd0fe65c605fc1557b48998

SHA256
33827d1ea5e9973f23f14d4ff02d0b5356627a7ab187f1397628e69aef3af300

SHA512
a889656bfd32cc10989591a337bbeb83209e575c67cca61af6cfa65a00ee61dbd0d64f668731326d61aceeec89613370adba89b2ed7338baa4c0785b7c698053

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1254.exe
Filesize
12KB

MD5
a522c0bd25e610d4476a1c1ab5608012

SHA1
8a81965ee55d33ec14cc91e9545689e4304b01ac

SHA256
7145b074802cdb63953130b74772269b14c35f08c1c59878663d26fa9399c3c7

SHA512
fe3510f366c054b05a4d1b11482bd149879c4e38e7751f9e53de463089df4613cfba74e4f093b5e755ef22b344d97f4a8b39f55933f67ef274b7bcfc9c64f43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1254.exe
Filesize
12KB

MD5
a522c0bd25e610d4476a1c1ab5608012

SHA1
8a81965ee55d33ec14cc91e9545689e4304b01ac

SHA256
7145b074802cdb63953130b74772269b14c35f08c1c59878663d26fa9399c3c7

SHA512
fe3510f366c054b05a4d1b11482bd149879c4e38e7751f9e53de463089df4613cfba74e4f093b5e755ef22b344d97f4a8b39f55933f67ef274b7bcfc9c64f43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5028vQ.exe
Filesize
284KB

MD5
347f94dc715125531229ccc93132bcb6

SHA1
876578002804e0d93473dc6e67e6691983f1be59

SHA256
fafdf4dfbc5f2b86a8d6f410b254c29c9cfe5257ad0fb50748ec562e8b1f9902

SHA512
b1004b286d8df1a7f50a3c599ce5ef90dd3d0289334f79b568f67500377b5be6127bec5e99a63d0afa171f04642bd7647721a5f16aa58967dd0221121a22bd59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5028vQ.exe
Filesize
284KB

MD5
347f94dc715125531229ccc93132bcb6

SHA1
876578002804e0d93473dc6e67e6691983f1be59

SHA256
fafdf4dfbc5f2b86a8d6f410b254c29c9cfe5257ad0fb50748ec562e8b1f9902

SHA512
b1004b286d8df1a7f50a3c599ce5ef90dd3d0289334f79b568f67500377b5be6127bec5e99a63d0afa171f04642bd7647721a5f16aa58967dd0221121a22bd59

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
899577b7c46af3baada63a665659a11c

SHA1
cc78fb7dabd2aa760236e47a760527f759833852

SHA256
ef65048b4a267e1d8bfd6b29093ce8286acfb80320e6cc2a8fc23c4fdee93248

SHA512
bd68f2347ffc3b17013ae4e6039bfb2d68ce5605d46b5f87b583d67183a29b48b32521f53477f85c25f09a9ebc41b8588104a72af2b3490fc197bbead0dbc683

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
899577b7c46af3baada63a665659a11c

SHA1
cc78fb7dabd2aa760236e47a760527f759833852

SHA256
ef65048b4a267e1d8bfd6b29093ce8286acfb80320e6cc2a8fc23c4fdee93248

SHA512
bd68f2347ffc3b17013ae4e6039bfb2d68ce5605d46b5f87b583d67183a29b48b32521f53477f85c25f09a9ebc41b8588104a72af2b3490fc197bbead0dbc683

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
899577b7c46af3baada63a665659a11c

SHA1
cc78fb7dabd2aa760236e47a760527f759833852

SHA256
ef65048b4a267e1d8bfd6b29093ce8286acfb80320e6cc2a8fc23c4fdee93248

SHA512
bd68f2347ffc3b17013ae4e6039bfb2d68ce5605d46b5f87b583d67183a29b48b32521f53477f85c25f09a9ebc41b8588104a72af2b3490fc197bbead0dbc683

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
899577b7c46af3baada63a665659a11c

SHA1
cc78fb7dabd2aa760236e47a760527f759833852

SHA256
ef65048b4a267e1d8bfd6b29093ce8286acfb80320e6cc2a8fc23c4fdee93248

SHA512
bd68f2347ffc3b17013ae4e6039bfb2d68ce5605d46b5f87b583d67183a29b48b32521f53477f85c25f09a9ebc41b8588104a72af2b3490fc197bbead0dbc683

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/444-1127-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/444-243-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-1135-0x0000000009090000-0x00000000095BC000-memory.dmp

Filesize
5.2MB

Download
memory/444-1134-0x0000000008EC0000-0x0000000009082000-memory.dmp

Filesize
1.8MB

Download
memory/444-1133-0x0000000008E60000-0x0000000008EB0000-memory.dmp

Filesize
320KB

Download
memory/444-1132-0x0000000008DC0000-0x0000000008E36000-memory.dmp

Filesize
472KB

Download
memory/444-1131-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/444-1130-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/444-1129-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/444-1128-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/444-1126-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/444-1124-0x00000000072A0000-0x00000000072DC000-memory.dmp

Filesize
240KB

Download
memory/444-1123-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/444-1122-0x0000000007280000-0x0000000007292000-memory.dmp

Filesize
72KB

Download
memory/444-210-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-213-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-211-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-217-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-214-0x0000000002CF0000-0x0000000002D3B000-memory.dmp

Filesize
300KB

Download
memory/444-216-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/444-218-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/444-220-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/444-223-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-221-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-225-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-227-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-229-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-231-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-233-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-235-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-237-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-239-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-241-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-1121-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/444-245-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-247-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/444-1120-0x0000000007910000-0x0000000007F28000-memory.dmp

Filesize
6.1MB

Download
memory/3632-185-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-168-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3632-195-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-205-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/3632-203-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3632-199-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-202-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3632-201-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3632-200-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/3632-179-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-181-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-183-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-189-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-197-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-175-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-187-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-167-0x00000000047B0000-0x00000000047DD000-memory.dmp

Filesize
180KB

Download
memory/3632-191-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-193-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-177-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-173-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-172-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3632-171-0x0000000007310000-0x00000000078B4000-memory.dmp

Filesize
5.6MB

Download
memory/3632-170-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3632-169-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3776-161-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download
memory/4384-1143-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4384-1142-0x0000000000390000-0x00000000003C2000-memory.dmp

Filesize
200KB

Download