amadey | 06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72

Analysis

max time kernel
144s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exe
Size

993KB
MD5

ec715de81d7fd11f3c0c224e050b2733
SHA1

dc44b20883426bcb69d1ccc32499499ab10cd285
SHA256

06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72
SHA512

cf5f965cbd4e69c47dce8206b56e9f68a50726b79b35a8f1eff8fdca26890c74cbffd3482872649d7df5b31ba186d02db96068d264c7be6293ea71bac60fc491
SSDEEP

24576:byJPyDp5EghwvJMjaPAy0C1oi0lguMN6:OW5iWIhoi0ltMN

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v5941yL.exetz8633.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5941yL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5941yL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5941yL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5941yL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8633.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v5941yL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5941yL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8633.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3360-210-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-211-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-213-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-216-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-220-0x0000000007220000-0x0000000007230000-memory.dmp	family_redline
behavioral1/memory/3360-221-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-223-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-225-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-227-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-229-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-231-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-233-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-235-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-237-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-239-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-241-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-243-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-245-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/3360-247-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y50bi78.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y50bi78.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap7311.exezap8698.exezap7377.exetz8633.exev5941yL.exew66iL74.exexuUst29.exey50bi78.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
1036	zap7311.exe
724	zap8698.exe
4668	zap7377.exe
1592	tz8633.exe
1228	v5941yL.exe
3360	w66iL74.exe
1796	xuUst29.exe
4864	y50bi78.exe
4060	oneetx.exe
2556	oneetx.exe
824	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3864 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3864	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz8633.exev5941yL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8633.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5941yL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5941yL.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exezap7311.exezap8698.exezap7377.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7311.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7311.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8698.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8698.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7377.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7377.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2084 1228 WerFault.exe v5941yL.exe
4072 3360 WerFault.exe w66iL74.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

756 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz8633.exev5941yL.exew66iL74.exexuUst29.exe

pid process

1592 tz8633.exe
1592 tz8633.exe
1228 v5941yL.exe
1228 v5941yL.exe
3360 w66iL74.exe
3360 w66iL74.exe
1796 xuUst29.exe
1796 xuUst29.exe

pid	pid_target	process	target process
2084	1228	WerFault.exe	v5941yL.exe
4072	3360	WerFault.exe	w66iL74.exe

pid	process
756	schtasks.exe

pid	process
1592	tz8633.exe
1592	tz8633.exe
1228	v5941yL.exe
1228	v5941yL.exe
3360	w66iL74.exe
3360	w66iL74.exe
1796	xuUst29.exe
1796	xuUst29.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz8633.exev5941yL.exew66iL74.exexuUst29.exe

description	pid	process
Token: SeDebugPrivilege	1592	tz8633.exe
Token: SeDebugPrivilege	1228	v5941yL.exe
Token: SeDebugPrivilege	3360	w66iL74.exe
Token: SeDebugPrivilege	1796	xuUst29.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y50bi78.exe

pid process

4864 y50bi78.exe

pid	process
4864	y50bi78.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exezap7311.exezap8698.exezap7377.exey50bi78.exeoneetx.execmd.exe

description	pid	process	target process
PID 2704 wrote to memory of 1036	2704	06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exe	zap7311.exe
PID 2704 wrote to memory of 1036	2704	06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exe	zap7311.exe
PID 2704 wrote to memory of 1036	2704	06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exe	zap7311.exe
PID 1036 wrote to memory of 724	1036	zap7311.exe	zap8698.exe
PID 1036 wrote to memory of 724	1036	zap7311.exe	zap8698.exe
PID 1036 wrote to memory of 724	1036	zap7311.exe	zap8698.exe
PID 724 wrote to memory of 4668	724	zap8698.exe	zap7377.exe
PID 724 wrote to memory of 4668	724	zap8698.exe	zap7377.exe
PID 724 wrote to memory of 4668	724	zap8698.exe	zap7377.exe
PID 4668 wrote to memory of 1592	4668	zap7377.exe	tz8633.exe
PID 4668 wrote to memory of 1592	4668	zap7377.exe	tz8633.exe
PID 4668 wrote to memory of 1228	4668	zap7377.exe	v5941yL.exe
PID 4668 wrote to memory of 1228	4668	zap7377.exe	v5941yL.exe
PID 4668 wrote to memory of 1228	4668	zap7377.exe	v5941yL.exe
PID 724 wrote to memory of 3360	724	zap8698.exe	w66iL74.exe
PID 724 wrote to memory of 3360	724	zap8698.exe	w66iL74.exe
PID 724 wrote to memory of 3360	724	zap8698.exe	w66iL74.exe
PID 1036 wrote to memory of 1796	1036	zap7311.exe	xuUst29.exe
PID 1036 wrote to memory of 1796	1036	zap7311.exe	xuUst29.exe
PID 1036 wrote to memory of 1796	1036	zap7311.exe	xuUst29.exe
PID 2704 wrote to memory of 4864	2704	06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exe	y50bi78.exe
PID 2704 wrote to memory of 4864	2704	06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exe	y50bi78.exe
PID 2704 wrote to memory of 4864	2704	06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exe	y50bi78.exe
PID 4864 wrote to memory of 4060	4864	y50bi78.exe	oneetx.exe
PID 4864 wrote to memory of 4060	4864	y50bi78.exe	oneetx.exe
PID 4864 wrote to memory of 4060	4864	y50bi78.exe	oneetx.exe
PID 4060 wrote to memory of 756	4060	oneetx.exe	schtasks.exe
PID 4060 wrote to memory of 756	4060	oneetx.exe	schtasks.exe
PID 4060 wrote to memory of 756	4060	oneetx.exe	schtasks.exe
PID 4060 wrote to memory of 3992	4060	oneetx.exe	cmd.exe
PID 4060 wrote to memory of 3992	4060	oneetx.exe	cmd.exe
PID 4060 wrote to memory of 3992	4060	oneetx.exe	cmd.exe
PID 3992 wrote to memory of 4544	3992	cmd.exe	cmd.exe
PID 3992 wrote to memory of 4544	3992	cmd.exe	cmd.exe
PID 3992 wrote to memory of 4544	3992	cmd.exe	cmd.exe
PID 3992 wrote to memory of 2224	3992	cmd.exe	cacls.exe
PID 3992 wrote to memory of 2224	3992	cmd.exe	cacls.exe
PID 3992 wrote to memory of 2224	3992	cmd.exe	cacls.exe
PID 3992 wrote to memory of 3688	3992	cmd.exe	cacls.exe
PID 3992 wrote to memory of 3688	3992	cmd.exe	cacls.exe
PID 3992 wrote to memory of 3688	3992	cmd.exe	cacls.exe
PID 3992 wrote to memory of 3808	3992	cmd.exe	cmd.exe
PID 3992 wrote to memory of 3808	3992	cmd.exe	cmd.exe
PID 3992 wrote to memory of 3808	3992	cmd.exe	cmd.exe
PID 3992 wrote to memory of 4784	3992	cmd.exe	cacls.exe
PID 3992 wrote to memory of 4784	3992	cmd.exe	cacls.exe
PID 3992 wrote to memory of 4784	3992	cmd.exe	cacls.exe
PID 3992 wrote to memory of 1944	3992	cmd.exe	cacls.exe
PID 3992 wrote to memory of 1944	3992	cmd.exe	cacls.exe
PID 3992 wrote to memory of 1944	3992	cmd.exe	cacls.exe
PID 4060 wrote to memory of 3864	4060	oneetx.exe	rundll32.exe
PID 4060 wrote to memory of 3864	4060	oneetx.exe	rundll32.exe
PID 4060 wrote to memory of 3864	4060	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exe
"C:\Users\Admin\AppData\Local\Temp\06264f595f357bc9f0e3ad7fd16c52057e18bce25d1460eab5a5b10c2b6d3c72.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7311.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7311.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8698.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8698.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:724

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7377.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7377.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4668

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8633.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8633.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5941yL.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5941yL.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 1084
6⤵
- Program crash
PID:2084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w66iL74.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w66iL74.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1348
5⤵
- Program crash
PID:4072

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xuUst29.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xuUst29.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y50bi78.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y50bi78.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4544

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:2224

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3808

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:4784

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:1944

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1228 -ip 1228
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3360 -ip 3360
1⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y50bi78.exe
Filesize
236KB

MD5
095125c27cce3701c8dbe18f7392c5a9

SHA1
4c062de15d461c2f971b29e28d214cd2f332c550

SHA256
941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2

SHA512
9b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y50bi78.exe
Filesize
236KB

MD5
095125c27cce3701c8dbe18f7392c5a9

SHA1
4c062de15d461c2f971b29e28d214cd2f332c550

SHA256
941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2

SHA512
9b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7311.exe
Filesize
809KB

MD5
ab3755f8777e669678e69834f824bb85

SHA1
9638c395bc63759ae79c030b12e5457b64d36a7a

SHA256
60deb6a2ee29d811a6972dcf7397484b1095945f843283666307ae241c2b97f0

SHA512
9f65d9d9b7a9e2d2c704cc1e4fe1e193fea94e301d6d236b963f2490a4e23b76c77393178093b71d8836bd6f99933aee51dcf5b81e6d4e39b0ccfb76335ee118

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7311.exe
Filesize
809KB

MD5
ab3755f8777e669678e69834f824bb85

SHA1
9638c395bc63759ae79c030b12e5457b64d36a7a

SHA256
60deb6a2ee29d811a6972dcf7397484b1095945f843283666307ae241c2b97f0

SHA512
9f65d9d9b7a9e2d2c704cc1e4fe1e193fea94e301d6d236b963f2490a4e23b76c77393178093b71d8836bd6f99933aee51dcf5b81e6d4e39b0ccfb76335ee118

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xuUst29.exe
Filesize
175KB

MD5
4b4db5ef48aeeb045ebf2393e59d31b7

SHA1
76a406bb89adc08fa3f6dd7fad043de474b50526

SHA256
a6150ae31ecbadf17088bae6abe47bca5acabc2b36ec082bed7f65dfd716a732

SHA512
b5e7aa9e1d2b8ed10cbba45e85edbeff60a6789935b1cef708de5fd8631321a6f93e59235e5bff0732c2ba2dab70b08957f39ade8ed03570062edc26f18fe803

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xuUst29.exe
Filesize
175KB

MD5
4b4db5ef48aeeb045ebf2393e59d31b7

SHA1
76a406bb89adc08fa3f6dd7fad043de474b50526

SHA256
a6150ae31ecbadf17088bae6abe47bca5acabc2b36ec082bed7f65dfd716a732

SHA512
b5e7aa9e1d2b8ed10cbba45e85edbeff60a6789935b1cef708de5fd8631321a6f93e59235e5bff0732c2ba2dab70b08957f39ade8ed03570062edc26f18fe803

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8698.exe
Filesize
667KB

MD5
8757c16d9f8181b912f3cc6869dda3d0

SHA1
6bfe01908f02807b6595e442ccd3c70253f76d48

SHA256
83e47f0d406c3137eb4b6bbbc1edd89080f0acc4a5be1402c41c84410ddfe497

SHA512
67518eca23bf9d08ad654b3f56c0a74ad4c4a29c9490a6510b873b0ca540557811de5b34bcca892ad26c3dbfc57a9a3d4d767de150ffb4861c6431a84f00c21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8698.exe
Filesize
667KB

MD5
8757c16d9f8181b912f3cc6869dda3d0

SHA1
6bfe01908f02807b6595e442ccd3c70253f76d48

SHA256
83e47f0d406c3137eb4b6bbbc1edd89080f0acc4a5be1402c41c84410ddfe497

SHA512
67518eca23bf9d08ad654b3f56c0a74ad4c4a29c9490a6510b873b0ca540557811de5b34bcca892ad26c3dbfc57a9a3d4d767de150ffb4861c6431a84f00c21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w66iL74.exe
Filesize
355KB

MD5
7c5bfe47941a26c0f7c7e8b5eb242a9b

SHA1
9fc60d6e0ab9b2627f6c74e79b59c1d27b756917

SHA256
e0a410eee9a2e5512cca7abf091efb4eed2ccc479c646c083a13967694b70c89

SHA512
9978799844db75198c4f78eccf1a5890de5cb6acd0c28f7d86a54e9ec212c125094f235bee6ef3abb8bc77e309380a74717926c9cc65f4ad8dcae185c3d170e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w66iL74.exe
Filesize
355KB

MD5
7c5bfe47941a26c0f7c7e8b5eb242a9b

SHA1
9fc60d6e0ab9b2627f6c74e79b59c1d27b756917

SHA256
e0a410eee9a2e5512cca7abf091efb4eed2ccc479c646c083a13967694b70c89

SHA512
9978799844db75198c4f78eccf1a5890de5cb6acd0c28f7d86a54e9ec212c125094f235bee6ef3abb8bc77e309380a74717926c9cc65f4ad8dcae185c3d170e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7377.exe
Filesize
329KB

MD5
0211823245f02be67f63824370363299

SHA1
5aa7801cfeca796af8598e41958a9ea8411674a1

SHA256
453c4c74a66976328836bce69da1599fd187b24e286a2d82ea523cdf48acc66b

SHA512
837f0937837b61834fc76295dbe33349141ca9aa7e695e602898afa4e2a21e0274b1634feddd68f71c8e1107a0ddbc92d95e757c354e988117eca1c1337dfed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7377.exe
Filesize
329KB

MD5
0211823245f02be67f63824370363299

SHA1
5aa7801cfeca796af8598e41958a9ea8411674a1

SHA256
453c4c74a66976328836bce69da1599fd187b24e286a2d82ea523cdf48acc66b

SHA512
837f0937837b61834fc76295dbe33349141ca9aa7e695e602898afa4e2a21e0274b1634feddd68f71c8e1107a0ddbc92d95e757c354e988117eca1c1337dfed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8633.exe
Filesize
12KB

MD5
517f8d52ae945331f6c1d961be959029

SHA1
ca5e0397208880655d57eb3e9465bcb8c1659c17

SHA256
d27916cbe79fecc18ef4740ff10e12e247887d644d178f4113311e2c7d8204c5

SHA512
0478f92282633500c81a643578a9e25675477d536de0094d027fbda633d445aa495ad4b68e287df60cbbbc9999d49df40b49b0859f60cfbd187707754a876af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8633.exe
Filesize
12KB

MD5
517f8d52ae945331f6c1d961be959029

SHA1
ca5e0397208880655d57eb3e9465bcb8c1659c17

SHA256
d27916cbe79fecc18ef4740ff10e12e247887d644d178f4113311e2c7d8204c5

SHA512
0478f92282633500c81a643578a9e25675477d536de0094d027fbda633d445aa495ad4b68e287df60cbbbc9999d49df40b49b0859f60cfbd187707754a876af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5941yL.exe
Filesize
284KB

MD5
589a2ee48a6a668a38e454ce4c6cdd11

SHA1
9e72b5f05fbe065fb28a57b0e662612210509308

SHA256
cf9d3640c564d386084d62c3d49c7542195cdfee06a93700460d64dd7adf9c11

SHA512
d3183b31bbe769e4e6a8f22d54353135b4b6fba3df1c5733f9829ed96a60a6567b527231d3d751710a6700a7d03a627676c7d8535a363c6a468b8cd93f9b313d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5941yL.exe
Filesize
284KB

MD5
589a2ee48a6a668a38e454ce4c6cdd11

SHA1
9e72b5f05fbe065fb28a57b0e662612210509308

SHA256
cf9d3640c564d386084d62c3d49c7542195cdfee06a93700460d64dd7adf9c11

SHA512
d3183b31bbe769e4e6a8f22d54353135b4b6fba3df1c5733f9829ed96a60a6567b527231d3d751710a6700a7d03a627676c7d8535a363c6a468b8cd93f9b313d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
095125c27cce3701c8dbe18f7392c5a9

SHA1
4c062de15d461c2f971b29e28d214cd2f332c550

SHA256
941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2

SHA512
9b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
095125c27cce3701c8dbe18f7392c5a9

SHA1
4c062de15d461c2f971b29e28d214cd2f332c550

SHA256
941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2

SHA512
9b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
095125c27cce3701c8dbe18f7392c5a9

SHA1
4c062de15d461c2f971b29e28d214cd2f332c550

SHA256
941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2

SHA512
9b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
095125c27cce3701c8dbe18f7392c5a9

SHA1
4c062de15d461c2f971b29e28d214cd2f332c550

SHA256
941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2

SHA512
9b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
095125c27cce3701c8dbe18f7392c5a9

SHA1
4c062de15d461c2f971b29e28d214cd2f332c550

SHA256
941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2

SHA512
9b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1228-167-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

Filesize
180KB

Download
memory/1228-177-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-191-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-193-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-195-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-197-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-198-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/1228-199-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/1228-200-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/1228-201-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/1228-203-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/1228-204-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/1228-205-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/1228-168-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/1228-187-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-185-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-183-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-181-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-179-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-189-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-175-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-173-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-171-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-170-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1228-169-0x00000000073B0000-0x0000000007954000-memory.dmp

Filesize
5.6MB

Download
memory/1592-161-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download
memory/1796-1142-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/1796-1141-0x0000000000760000-0x0000000000792000-memory.dmp

Filesize
200KB

Download
memory/3360-217-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3360-235-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-237-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-239-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-241-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-243-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-245-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-247-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-1120-0x00000000078E0000-0x0000000007EF8000-memory.dmp

Filesize
6.1MB

Download
memory/3360-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/3360-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/3360-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3360-1124-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3360-1126-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3360-1127-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3360-1128-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3360-1129-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/3360-1130-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/3360-1131-0x0000000008B80000-0x0000000008D42000-memory.dmp

Filesize
1.8MB

Download
memory/3360-1132-0x0000000008D50000-0x000000000927C000-memory.dmp

Filesize
5.2MB

Download
memory/3360-1133-0x0000000009610000-0x0000000009686000-memory.dmp

Filesize
472KB

Download
memory/3360-1134-0x0000000009690000-0x00000000096E0000-memory.dmp

Filesize
320KB

Download
memory/3360-233-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-231-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-229-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-227-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-225-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-219-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3360-223-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-221-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-220-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3360-216-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-214-0x0000000004820000-0x000000000486B000-memory.dmp

Filesize
300KB

Download
memory/3360-213-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-211-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-210-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3360-1135-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download