amadey | e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e

Analysis

max time kernel
146s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2023, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e.exe
Size

790KB
MD5

25431a0cac6ed1e89e4e3965c7e29939
SHA1

b2c4c44ea6ca4760b2ff6ee7c832be6eea5817ff
SHA256

e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e
SHA512

2e7d97af13130ca437b0b1acc2209adff7cde1b2aa36c30c4ab3f23dc641daefbbc2b8dd4b46344a68fdca24dc19cb5f880373c3242ca9a7c16b42bc2ad08a90
SSDEEP

24576:Ry1s+HOgoyqSbw/ParPesGuZcyFDC7ucD1:E3uyBEymsZcuCqcD

Score

10^/10

amadey redline nahui rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

nahui

176.113.115.145:4125

Attributes

auth_value
b9ed10946d21e28d58d0c72c535cde6f

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it373412.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it373412.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it373412.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it373412.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it373412.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it373412.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 34 IoCs

resource	yara_rule
behavioral1/memory/3960-161-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-164-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-162-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-166-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-170-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-176-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-174-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-178-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-180-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-182-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-184-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-186-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-188-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-190-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-192-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-194-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-196-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-198-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-200-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-202-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-204-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-206-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-208-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-210-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-212-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-214-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-216-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-218-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-220-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-222-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-224-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-226-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-228-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/3960-1081-0x0000000004C70000-0x0000000004C80000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lr146315.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 8 IoCs

pid	Process
4164	ziKB2695.exe
4104	ziIe5834.exe
5032	it373412.exe
3960	jr494376.exe
3620	kp172880.exe
2268	lr146315.exe
992	oneetx.exe
4340	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3796	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it373412.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziKB2695.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziIe5834.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziIe5834.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziKB2695.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 27 IoCs

pid	pid_target	Process	procid_target
4084	3960	WerFault.exe	85
3780	2268	WerFault.exe	91
3376	2268	WerFault.exe	91
3280	2268	WerFault.exe	91
3792	2268	WerFault.exe	91
1640	2268	WerFault.exe	91
3716	2268	WerFault.exe	91
4688	2268	WerFault.exe	91
5024	2268	WerFault.exe	91
1296	2268	WerFault.exe	91
3068	2268	WerFault.exe	91
3592	992	WerFault.exe	110
3520	992	WerFault.exe	110
2076	992	WerFault.exe	110
1408	992	WerFault.exe	110
3292	992	WerFault.exe	110
1756	992	WerFault.exe	110
3344	992	WerFault.exe	110
4224	992	WerFault.exe	110
3964	992	WerFault.exe	110
480	992	WerFault.exe	110
4484	992	WerFault.exe	110
5068	992	WerFault.exe	110
4632	992	WerFault.exe	110
1600	992	WerFault.exe	110
3348	4340	WerFault.exe	144
3656	992	WerFault.exe	110

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5032	it373412.exe
5032	it373412.exe
3960	jr494376.exe
3960	jr494376.exe
3620	kp172880.exe
3620	kp172880.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	it373412.exe
Token: SeDebugPrivilege	3960	jr494376.exe
Token: SeDebugPrivilege	3620	kp172880.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2268	lr146315.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 4164	3924	e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e.exe	82
PID 3924 wrote to memory of 4164	3924	e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e.exe	82
PID 3924 wrote to memory of 4164	3924	e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e.exe	82
PID 4164 wrote to memory of 4104	4164	ziKB2695.exe	83
PID 4164 wrote to memory of 4104	4164	ziKB2695.exe	83
PID 4164 wrote to memory of 4104	4164	ziKB2695.exe	83
PID 4104 wrote to memory of 5032	4104	ziIe5834.exe	84
PID 4104 wrote to memory of 5032	4104	ziIe5834.exe	84
PID 4104 wrote to memory of 3960	4104	ziIe5834.exe	85
PID 4104 wrote to memory of 3960	4104	ziIe5834.exe	85
PID 4104 wrote to memory of 3960	4104	ziIe5834.exe	85
PID 4164 wrote to memory of 3620	4164	ziKB2695.exe	89
PID 4164 wrote to memory of 3620	4164	ziKB2695.exe	89
PID 4164 wrote to memory of 3620	4164	ziKB2695.exe	89
PID 3924 wrote to memory of 2268	3924	e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e.exe	91
PID 3924 wrote to memory of 2268	3924	e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e.exe	91
PID 3924 wrote to memory of 2268	3924	e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e.exe	91
PID 2268 wrote to memory of 992	2268	lr146315.exe	110
PID 2268 wrote to memory of 992	2268	lr146315.exe	110
PID 2268 wrote to memory of 992	2268	lr146315.exe	110
PID 992 wrote to memory of 4584	992	oneetx.exe	127
PID 992 wrote to memory of 4584	992	oneetx.exe	127
PID 992 wrote to memory of 4584	992	oneetx.exe	127
PID 992 wrote to memory of 3796	992	oneetx.exe	141
PID 992 wrote to memory of 3796	992	oneetx.exe	141
PID 992 wrote to memory of 3796	992	oneetx.exe	141

C:\Users\Admin\AppData\Local\Temp\e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e.exe
"C:\Users\Admin\AppData\Local\Temp\e28a3a83176fa610c38333364523e44578f87911f43ea8f2e0b8aa6eabbd9f0e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKB2695.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKB2695.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziIe5834.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziIe5834.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it373412.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it373412.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr494376.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr494376.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1344
        5⤵
        Program crash
        
        PID:4084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp172880.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp172880.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr146315.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr146315.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 696
    3⤵
    - Program crash
    PID:3780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 780
    3⤵
    - Program crash
    PID:3376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 856
    3⤵
    - Program crash
    PID:3280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 976
    3⤵
    - Program crash
    PID:3792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 964
    3⤵
    - Program crash
    PID:1640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 964
    3⤵
    - Program crash
    PID:3716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1152
    3⤵
    - Program crash
    PID:4688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1232
    3⤵
    - Program crash
    PID:5024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1320
    3⤵
    - Program crash
    PID:1296
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 692
      4⤵
      Program crash
      PID:3592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 832
      4⤵
      Program crash
      PID:3520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 892
      4⤵
      Program crash
      PID:2076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1052
      4⤵
      Program crash
      PID:1408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1052
      4⤵
      Program crash
      PID:3292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1052
      4⤵
      Program crash
      PID:1756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1128
      4⤵
      Program crash
      PID:3344
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 992
      4⤵
      Program crash
      PID:4224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 744
      4⤵
      Program crash
      PID:3964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 836
      4⤵
      Program crash
      PID:480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1288
      4⤵
      Program crash
      PID:4484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1080
      4⤵
      Program crash
      PID:5068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1368
      4⤵
      Program crash
      PID:4632
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1076
      4⤵
      Program crash
      PID:1600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1560
      4⤵
      Program crash
      PID:3656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 748
    3⤵
    - Program crash
    PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3960 -ip 3960
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2268 -ip 2268
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2268 -ip 2268
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2268 -ip 2268
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2268 -ip 2268
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2268 -ip 2268
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2268 -ip 2268
1⤵
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2268 -ip 2268
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2268 -ip 2268
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2268 -ip 2268
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2268 -ip 2268
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 992 -ip 992
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 992 -ip 992
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 992 -ip 992
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 992 -ip 992
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 992 -ip 992
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 992 -ip 992
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 992 -ip 992
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 992 -ip 992
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 992 -ip 992
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 992 -ip 992
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 992 -ip 992
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 992 -ip 992
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 992 -ip 992
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 992 -ip 992
1⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 316
  2⤵
  - Program crash
  PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4340 -ip 4340
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 992 -ip 992
1⤵
PID:2520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
54c44f28117c042e00f54b4f44aa89bb

SHA1
3c8668e8500216e31e4e7943dc5dc7a045619dec

SHA256
5ad202f9785ad847380ef33c36d00446a06eadb03bb0c1e7e7e7cc87b6b841f3

SHA512
bbd3037dc11758fb17d1973fd904c99e2c2ad3ff84a94adde9b6e50f5493e55b09fb30bbef825b2dc31debaa6fa7427fe97b7fbb277fa8f79965b2ba36232d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
54c44f28117c042e00f54b4f44aa89bb

SHA1
3c8668e8500216e31e4e7943dc5dc7a045619dec

SHA256
5ad202f9785ad847380ef33c36d00446a06eadb03bb0c1e7e7e7cc87b6b841f3

SHA512
bbd3037dc11758fb17d1973fd904c99e2c2ad3ff84a94adde9b6e50f5493e55b09fb30bbef825b2dc31debaa6fa7427fe97b7fbb277fa8f79965b2ba36232d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
54c44f28117c042e00f54b4f44aa89bb

SHA1
3c8668e8500216e31e4e7943dc5dc7a045619dec

SHA256
5ad202f9785ad847380ef33c36d00446a06eadb03bb0c1e7e7e7cc87b6b841f3

SHA512
bbd3037dc11758fb17d1973fd904c99e2c2ad3ff84a94adde9b6e50f5493e55b09fb30bbef825b2dc31debaa6fa7427fe97b7fbb277fa8f79965b2ba36232d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
230KB

MD5
54c44f28117c042e00f54b4f44aa89bb

SHA1
3c8668e8500216e31e4e7943dc5dc7a045619dec

SHA256
5ad202f9785ad847380ef33c36d00446a06eadb03bb0c1e7e7e7cc87b6b841f3

SHA512
bbd3037dc11758fb17d1973fd904c99e2c2ad3ff84a94adde9b6e50f5493e55b09fb30bbef825b2dc31debaa6fa7427fe97b7fbb277fa8f79965b2ba36232d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr146315.exe

Filesize
230KB

MD5
54c44f28117c042e00f54b4f44aa89bb

SHA1
3c8668e8500216e31e4e7943dc5dc7a045619dec

SHA256
5ad202f9785ad847380ef33c36d00446a06eadb03bb0c1e7e7e7cc87b6b841f3

SHA512
bbd3037dc11758fb17d1973fd904c99e2c2ad3ff84a94adde9b6e50f5493e55b09fb30bbef825b2dc31debaa6fa7427fe97b7fbb277fa8f79965b2ba36232d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr146315.exe

Filesize
230KB

MD5
54c44f28117c042e00f54b4f44aa89bb

SHA1
3c8668e8500216e31e4e7943dc5dc7a045619dec

SHA256
5ad202f9785ad847380ef33c36d00446a06eadb03bb0c1e7e7e7cc87b6b841f3

SHA512
bbd3037dc11758fb17d1973fd904c99e2c2ad3ff84a94adde9b6e50f5493e55b09fb30bbef825b2dc31debaa6fa7427fe97b7fbb277fa8f79965b2ba36232d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKB2695.exe

Filesize
524KB

MD5
2d19a0708b4863542ebafff76cdaf031

SHA1
89769d7146de5dede7b4c95cbd3131c34083e5b1

SHA256
8b3ee0f703291894d00d229af587e8d416af1a76cd8e5489556357162da9d8ba

SHA512
1b70ea0381d4b1031cf6ae0f5d71b78744a6f1882c86fda5cf004c234054055301e57b0ed58b2383b3ba75a1e7919be2bdeda0af22f51e8ba87d93a3517b061c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKB2695.exe

Filesize
524KB

MD5
2d19a0708b4863542ebafff76cdaf031

SHA1
89769d7146de5dede7b4c95cbd3131c34083e5b1

SHA256
8b3ee0f703291894d00d229af587e8d416af1a76cd8e5489556357162da9d8ba

SHA512
1b70ea0381d4b1031cf6ae0f5d71b78744a6f1882c86fda5cf004c234054055301e57b0ed58b2383b3ba75a1e7919be2bdeda0af22f51e8ba87d93a3517b061c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp172880.exe

Filesize
175KB

MD5
b2e599dec0856d70ebb2ab2327ae6442

SHA1
300323436b47ddafa78cb7e835deb1ab09f13698

SHA256
b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43

SHA512
c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp172880.exe

Filesize
175KB

MD5
b2e599dec0856d70ebb2ab2327ae6442

SHA1
300323436b47ddafa78cb7e835deb1ab09f13698

SHA256
b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43

SHA512
c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziIe5834.exe

Filesize
382KB

MD5
e76d9f9d4ba7034a205bc5ab8926aa4e

SHA1
4a06c07513fd89a92862e156b3081ca25a6b100d

SHA256
96c3c93cfa8dca119d9c920cc60d42db93fc5a2f3c553256a5dfbb81549c9ee3

SHA512
a7ad978a07ff248e5312b611c00b2496206a9328a475949e6e44faf152904dd9b981f5c8ba83a7853431572d437fdd8980d1665c54f25083bfbcaa89c112a347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziIe5834.exe

Filesize
382KB

MD5
e76d9f9d4ba7034a205bc5ab8926aa4e

SHA1
4a06c07513fd89a92862e156b3081ca25a6b100d

SHA256
96c3c93cfa8dca119d9c920cc60d42db93fc5a2f3c553256a5dfbb81549c9ee3

SHA512
a7ad978a07ff248e5312b611c00b2496206a9328a475949e6e44faf152904dd9b981f5c8ba83a7853431572d437fdd8980d1665c54f25083bfbcaa89c112a347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it373412.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it373412.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr494376.exe

Filesize
297KB

MD5
2e03da4fc2c857f0c8a919e6db6ec20e

SHA1
2196d1855504f028b4ac54f7cad91e9dcb0adb64

SHA256
91cfe823d97e79b34fa7dab2469ebfb06fbcd809b2593fee56c8609af1630514

SHA512
0791cbdca5bf54087f8492d813d75b09f8f9125da3a9e3ad27fcfe332e7e422d2b680f21d2cd1c002c04390536e1fa239ef1fc26237d0cae63048c94a78ee3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr494376.exe

Filesize
297KB

MD5
2e03da4fc2c857f0c8a919e6db6ec20e

SHA1
2196d1855504f028b4ac54f7cad91e9dcb0adb64

SHA256
91cfe823d97e79b34fa7dab2469ebfb06fbcd809b2593fee56c8609af1630514

SHA512
0791cbdca5bf54087f8492d813d75b09f8f9125da3a9e3ad27fcfe332e7e422d2b680f21d2cd1c002c04390536e1fa239ef1fc26237d0cae63048c94a78ee3cd

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/2268-1099-0x0000000000580000-0x00000000005BB000-memory.dmp

Filesize
236KB

Download
memory/3620-1092-0x0000000000140000-0x0000000000172000-memory.dmp

Filesize
200KB

Download
memory/3620-1093-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/3960-208-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-1072-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/3960-182-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-184-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-186-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-188-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-190-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-192-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-194-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-196-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-198-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-200-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-202-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-204-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-206-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-178-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-210-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-212-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-214-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-216-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-218-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-220-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-222-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-224-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-226-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-228-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-1071-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/3960-180-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-1073-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/3960-1074-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3960-1075-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/3960-1076-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/3960-1078-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/3960-1079-0x00000000064B0000-0x0000000006672000-memory.dmp

Filesize
1.8MB

Download
memory/3960-1080-0x0000000006690000-0x0000000006BBC000-memory.dmp

Filesize
5.2MB

Download
memory/3960-1081-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3960-1082-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3960-1083-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3960-174-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-176-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-173-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3960-171-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3960-170-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-169-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3960-167-0x00000000006F0000-0x000000000073B000-memory.dmp

Filesize
300KB

Download
memory/3960-166-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-162-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-164-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-161-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/3960-160-0x0000000004C80000-0x0000000005224000-memory.dmp

Filesize
5.6MB

Download
memory/3960-1084-0x0000000006D10000-0x0000000006D86000-memory.dmp

Filesize
472KB

Download
memory/3960-1085-0x0000000006D90000-0x0000000006DE0000-memory.dmp

Filesize
320KB

Download
memory/3960-1086-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/5032-154-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download