amadey | f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2023, 23:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546.exe
Size

1.1MB
MD5

6ba9900f6012d7502aa5146b2aed91f6
SHA1

cbd3be4d1876d918942f74b92c7f05ccab18e22b
SHA256

f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546
SHA512

a6c00c98ca304f7411821aba419ae6042413e0c616d5b013d839bb6259f0922b7e73790e9d7305d3aac3aeaf2554bfcb74e5732eeff4060b8b869078693a7089
SSDEEP

24576:hy3sTFhQTXjdcqrAzt0F+8e82suisy3oKLuchruk:U8TF6TXjSqrMOM8eVitoKLuZ

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr072290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr072290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr072290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr072290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr072290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr072290.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	qu401430.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	si642487.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
1900	un123540.exe
1512	un541141.exe
1864	pr072290.exe
264	qu401430.exe
4624	1.exe
2116	rk330070.exe
2036	si642487.exe
4500	oneetx.exe
1992	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3996	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr072290.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr072290.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un123540.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un123540.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un541141.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un541141.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 28 IoCs

pid	pid_target	Process	procid_target
2188	1864	WerFault.exe	87
4124	264	WerFault.exe	90
4608	2036	WerFault.exe	96
364	2036	WerFault.exe	96
3916	2036	WerFault.exe	96
464	2036	WerFault.exe	96
1880	2036	WerFault.exe	96
2228	2036	WerFault.exe	96
3412	2036	WerFault.exe	96
3336	2036	WerFault.exe	96
2032	2036	WerFault.exe	96
3740	2036	WerFault.exe	96
2324	4500	WerFault.exe	115
1444	4500	WerFault.exe	115
404	4500	WerFault.exe	115
4468	4500	WerFault.exe	115
2732	4500	WerFault.exe	115
5052	4500	WerFault.exe	115
3140	4500	WerFault.exe	115
3036	4500	WerFault.exe	115
4240	4500	WerFault.exe	115
3024	4500	WerFault.exe	115
4876	4500	WerFault.exe	115
4044	4500	WerFault.exe	115
3780	4500	WerFault.exe	115
4212	4500	WerFault.exe	115
4288	1992	WerFault.exe	149
2328	4500	WerFault.exe	115

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1864	pr072290.exe
1864	pr072290.exe
4624	1.exe
4624	1.exe
2116	rk330070.exe
2116	rk330070.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	pr072290.exe
Token: SeDebugPrivilege	264	qu401430.exe
Token: SeDebugPrivilege	4624	1.exe
Token: SeDebugPrivilege	2116	rk330070.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2036	si642487.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1900	848	f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546.exe	85
PID 848 wrote to memory of 1900	848	f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546.exe	85
PID 848 wrote to memory of 1900	848	f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546.exe	85
PID 1900 wrote to memory of 1512	1900	un123540.exe	86
PID 1900 wrote to memory of 1512	1900	un123540.exe	86
PID 1900 wrote to memory of 1512	1900	un123540.exe	86
PID 1512 wrote to memory of 1864	1512	un541141.exe	87
PID 1512 wrote to memory of 1864	1512	un541141.exe	87
PID 1512 wrote to memory of 1864	1512	un541141.exe	87
PID 1512 wrote to memory of 264	1512	un541141.exe	90
PID 1512 wrote to memory of 264	1512	un541141.exe	90
PID 1512 wrote to memory of 264	1512	un541141.exe	90
PID 264 wrote to memory of 4624	264	qu401430.exe	91
PID 264 wrote to memory of 4624	264	qu401430.exe	91
PID 264 wrote to memory of 4624	264	qu401430.exe	91
PID 1900 wrote to memory of 2116	1900	un123540.exe	95
PID 1900 wrote to memory of 2116	1900	un123540.exe	95
PID 1900 wrote to memory of 2116	1900	un123540.exe	95
PID 848 wrote to memory of 2036	848	f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546.exe	96
PID 848 wrote to memory of 2036	848	f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546.exe	96
PID 848 wrote to memory of 2036	848	f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546.exe	96
PID 2036 wrote to memory of 4500	2036	si642487.exe	115
PID 2036 wrote to memory of 4500	2036	si642487.exe	115
PID 2036 wrote to memory of 4500	2036	si642487.exe	115
PID 4500 wrote to memory of 3884	4500	oneetx.exe	132
PID 4500 wrote to memory of 3884	4500	oneetx.exe	132
PID 4500 wrote to memory of 3884	4500	oneetx.exe	132
PID 4500 wrote to memory of 3996	4500	oneetx.exe	146
PID 4500 wrote to memory of 3996	4500	oneetx.exe	146
PID 4500 wrote to memory of 3996	4500	oneetx.exe	146

C:\Users\Admin\AppData\Local\Temp\f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546.exe
"C:\Users\Admin\AppData\Local\Temp\f3948f88ce106902ca088da446e024e3476cd4e1e12f8d2b0236d0498f4e5546.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un123540.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un123540.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un541141.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un541141.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr072290.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr072290.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1080
        5⤵
        Program crash
        
        PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu401430.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu401430.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:264
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 1384
        5⤵
        Program crash
        
        PID:4124
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk330070.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk330070.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si642487.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si642487.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 696
    3⤵
    - Program crash
    PID:4608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 780
    3⤵
    - Program crash
    PID:364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 856
    3⤵
    - Program crash
    PID:3916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 860
    3⤵
    - Program crash
    PID:464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 948
    3⤵
    - Program crash
    PID:1880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 948
    3⤵
    - Program crash
    PID:2228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1216
    3⤵
    - Program crash
    PID:3412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1228
    3⤵
    - Program crash
    PID:3336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1312
    3⤵
    - Program crash
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 692
      4⤵
      Program crash
      PID:2324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 864
      4⤵
      Program crash
      PID:1444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 892
      4⤵
      Program crash
      PID:404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1056
      4⤵
      Program crash
      PID:4468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1096
      4⤵
      Program crash
      PID:2732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1048
      4⤵
      Program crash
      PID:5052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1120
      4⤵
      Program crash
      PID:3140
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 992
      4⤵
      Program crash
      PID:3036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1292
      4⤵
      Program crash
      PID:4240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1312
      4⤵
      Program crash
      PID:3024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1292
      4⤵
      Program crash
      PID:4876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1076
      4⤵
      Program crash
      PID:4044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1612
      4⤵
      Program crash
      PID:3780
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1136
      4⤵
      Program crash
      PID:4212
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1628
      4⤵
      Program crash
      PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1356
    3⤵
    - Program crash
    PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1864 -ip 1864
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 264 -ip 264
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2036 -ip 2036
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2036 -ip 2036
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2036 -ip 2036
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2036 -ip 2036
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2036 -ip 2036
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2036 -ip 2036
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2036 -ip 2036
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2036 -ip 2036
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2036 -ip 2036
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2036 -ip 2036
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4500 -ip 4500
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4500 -ip 4500
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4500 -ip 4500
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4500 -ip 4500
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4500 -ip 4500
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4500 -ip 4500
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4500 -ip 4500
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4500 -ip 4500
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4500 -ip 4500
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4500 -ip 4500
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 4500 -ip 4500
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 4500 -ip 4500
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4500 -ip 4500
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 4500 -ip 4500
1⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 312
  2⤵
  - Program crash
  PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1992 -ip 1992
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 4500 -ip 4500
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
309KB

MD5
9242e8e8a5d6a083662e9a3114763779

SHA1
c942ce1860dab1d359b38d74fd93f6a6b40cd12d

SHA256
2fe02c613d0a5317c961aa489106fa0219bcb6426c30d6ed8aa85ff711d9fb7e

SHA512
64d08407736c95373efb8a642e788947fb9af4483b2ffa8843291ff31f42fa60f44bf5927efdf95c953ec29c382b308944039143d2e73c919dcb6f666b589f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
309KB

MD5
9242e8e8a5d6a083662e9a3114763779

SHA1
c942ce1860dab1d359b38d74fd93f6a6b40cd12d

SHA256
2fe02c613d0a5317c961aa489106fa0219bcb6426c30d6ed8aa85ff711d9fb7e

SHA512
64d08407736c95373efb8a642e788947fb9af4483b2ffa8843291ff31f42fa60f44bf5927efdf95c953ec29c382b308944039143d2e73c919dcb6f666b589f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
309KB

MD5
9242e8e8a5d6a083662e9a3114763779

SHA1
c942ce1860dab1d359b38d74fd93f6a6b40cd12d

SHA256
2fe02c613d0a5317c961aa489106fa0219bcb6426c30d6ed8aa85ff711d9fb7e

SHA512
64d08407736c95373efb8a642e788947fb9af4483b2ffa8843291ff31f42fa60f44bf5927efdf95c953ec29c382b308944039143d2e73c919dcb6f666b589f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
309KB

MD5
9242e8e8a5d6a083662e9a3114763779

SHA1
c942ce1860dab1d359b38d74fd93f6a6b40cd12d

SHA256
2fe02c613d0a5317c961aa489106fa0219bcb6426c30d6ed8aa85ff711d9fb7e

SHA512
64d08407736c95373efb8a642e788947fb9af4483b2ffa8843291ff31f42fa60f44bf5927efdf95c953ec29c382b308944039143d2e73c919dcb6f666b589f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si642487.exe

Filesize
309KB

MD5
9242e8e8a5d6a083662e9a3114763779

SHA1
c942ce1860dab1d359b38d74fd93f6a6b40cd12d

SHA256
2fe02c613d0a5317c961aa489106fa0219bcb6426c30d6ed8aa85ff711d9fb7e

SHA512
64d08407736c95373efb8a642e788947fb9af4483b2ffa8843291ff31f42fa60f44bf5927efdf95c953ec29c382b308944039143d2e73c919dcb6f666b589f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si642487.exe

Filesize
309KB

MD5
9242e8e8a5d6a083662e9a3114763779

SHA1
c942ce1860dab1d359b38d74fd93f6a6b40cd12d

SHA256
2fe02c613d0a5317c961aa489106fa0219bcb6426c30d6ed8aa85ff711d9fb7e

SHA512
64d08407736c95373efb8a642e788947fb9af4483b2ffa8843291ff31f42fa60f44bf5927efdf95c953ec29c382b308944039143d2e73c919dcb6f666b589f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un123540.exe

Filesize
817KB

MD5
de49aa0e913762a2900d67b7125b8688

SHA1
4884e25d8545699dfceb18e104837938f2a02082

SHA256
c66934da5614121da7ead8a288f08ce9a2f2ecfeb53c87e32426f7764c97e727

SHA512
38fa80784dca471f746c8ed7bd7d8be485cf13fabcd28d0cee5a7c4eb76a9bbb7934b5b84ba1979c39f7c407705fc8cdfb71842af0ded8ba890eec323564201e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un123540.exe

Filesize
817KB

MD5
de49aa0e913762a2900d67b7125b8688

SHA1
4884e25d8545699dfceb18e104837938f2a02082

SHA256
c66934da5614121da7ead8a288f08ce9a2f2ecfeb53c87e32426f7764c97e727

SHA512
38fa80784dca471f746c8ed7bd7d8be485cf13fabcd28d0cee5a7c4eb76a9bbb7934b5b84ba1979c39f7c407705fc8cdfb71842af0ded8ba890eec323564201e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk330070.exe

Filesize
168KB

MD5
db5d95872954bfc6e59196ff4bea1b06

SHA1
b2b7e9bcb1f65bacfdf81089721b98d36a04c222

SHA256
f7b93754bdcdf37140429a9e01466f3314c7c3447fca8c1158bb7ec3aef2b8d1

SHA512
346908f042399083dfd91453a80ba87c1351325010e959a3c6c9a89ea21dba64e4b9e6b5b7cf15b5094fe5e807c0685592ebc300d46dfddc36f21b95c4fb0b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk330070.exe

Filesize
168KB

MD5
db5d95872954bfc6e59196ff4bea1b06

SHA1
b2b7e9bcb1f65bacfdf81089721b98d36a04c222

SHA256
f7b93754bdcdf37140429a9e01466f3314c7c3447fca8c1158bb7ec3aef2b8d1

SHA512
346908f042399083dfd91453a80ba87c1351325010e959a3c6c9a89ea21dba64e4b9e6b5b7cf15b5094fe5e807c0685592ebc300d46dfddc36f21b95c4fb0b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un541141.exe

Filesize
664KB

MD5
dd486b5d91db8568d994fa77f95a4c82

SHA1
4360f4fb41366f0ec745a3307cf57192de165cca

SHA256
333a2e23913961f03c4d663c0fe9979d8e39c2f5ee3929a29ed7f96af88cccf4

SHA512
4bf3effc153c6400a4e16f2f41ca8817727483d19d28cc62776af2a3248e61ab48f37857d7bd9ea9d8b4006897c7461d4684e170c3ce903ec449c6801120e25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un541141.exe

Filesize
664KB

MD5
dd486b5d91db8568d994fa77f95a4c82

SHA1
4360f4fb41366f0ec745a3307cf57192de165cca

SHA256
333a2e23913961f03c4d663c0fe9979d8e39c2f5ee3929a29ed7f96af88cccf4

SHA512
4bf3effc153c6400a4e16f2f41ca8817727483d19d28cc62776af2a3248e61ab48f37857d7bd9ea9d8b4006897c7461d4684e170c3ce903ec449c6801120e25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr072290.exe

Filesize
317KB

MD5
8d0363a2d7cf52cea1e558adbecddf69

SHA1
1c284cca0035ecb02db98c135638615eecaf9d56

SHA256
0b13c53f0c71425b2017766b60d1c6f0765e16e9367db7ef6a8d9664b4c75561

SHA512
041333152ced9cb037392b313509abbc9fd6a80b5168f93b3173b89370f42f268d8d60cabd06180758da2b8549e16438249907fc1638fb7d11c3076bf30d05ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr072290.exe

Filesize
317KB

MD5
8d0363a2d7cf52cea1e558adbecddf69

SHA1
1c284cca0035ecb02db98c135638615eecaf9d56

SHA256
0b13c53f0c71425b2017766b60d1c6f0765e16e9367db7ef6a8d9664b4c75561

SHA512
041333152ced9cb037392b313509abbc9fd6a80b5168f93b3173b89370f42f268d8d60cabd06180758da2b8549e16438249907fc1638fb7d11c3076bf30d05ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu401430.exe

Filesize
501KB

MD5
1d111c6b43028427168ac042618750f9

SHA1
aaf79951370fdd0454a500226bce59331ddd0ddd

SHA256
9cd9ff897f49a307ec7d8bb1f6c439f8325c68abeed336f653ff20f872f84510

SHA512
15e3c93161b950b2a69a097bea095cf54cd80c65a5eb37554f64e4f32d0e2340e74c5aaac01962a7f5e6cf865dc1308380a73fb38ac98dd229153abc2a8700ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu401430.exe

Filesize
501KB

MD5
1d111c6b43028427168ac042618750f9

SHA1
aaf79951370fdd0454a500226bce59331ddd0ddd

SHA256
9cd9ff897f49a307ec7d8bb1f6c439f8325c68abeed336f653ff20f872f84510

SHA512
15e3c93161b950b2a69a097bea095cf54cd80c65a5eb37554f64e4f32d0e2340e74c5aaac01962a7f5e6cf865dc1308380a73fb38ac98dd229153abc2a8700ef

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/264-2365-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/264-229-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-2366-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/264-2364-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/264-2345-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/264-342-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/264-341-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/264-337-0x0000000002130000-0x000000000218B000-memory.dmp

Filesize
364KB

Download
memory/264-339-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/264-231-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-198-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-199-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-201-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-203-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-205-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-207-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-209-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-211-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-213-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-215-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-217-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-219-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-221-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-223-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-225-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/264-227-0x00000000051D0000-0x0000000005230000-memory.dmp

Filesize
384KB

Download
memory/1864-182-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-158-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-185-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/1864-193-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1864-192-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/1864-190-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/1864-191-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/1864-186-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/1864-180-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-170-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-155-0x00000000020C0000-0x00000000020ED000-memory.dmp

Filesize
180KB

Download
memory/1864-156-0x0000000004BC0000-0x0000000005164000-memory.dmp

Filesize
5.6MB

Download
memory/1864-157-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-178-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-160-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-162-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-188-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1864-172-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-187-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/1864-174-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-176-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-184-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-164-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-166-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/1864-168-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/2036-2386-0x00000000020E0000-0x000000000211B000-memory.dmp

Filesize
236KB

Download
memory/2116-2371-0x0000000000C10000-0x0000000000C40000-memory.dmp

Filesize
192KB

Download
memory/2116-2372-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4624-2373-0x00000000055D0000-0x0000000005646000-memory.dmp

Filesize
472KB

Download
memory/4624-2379-0x00000000089A0000-0x0000000008ECC000-memory.dmp

Filesize
5.2MB

Download
memory/4624-2376-0x0000000006320000-0x0000000006370000-memory.dmp

Filesize
320KB

Download
memory/4624-2375-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/4624-2374-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/4624-2377-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4624-2378-0x0000000006700000-0x00000000068C2000-memory.dmp

Filesize
1.8MB

Download
memory/4624-2362-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4624-2361-0x00000000051F0000-0x000000000522C000-memory.dmp

Filesize
240KB

Download
memory/4624-2360-0x0000000004F50000-0x0000000004F62000-memory.dmp

Filesize
72KB

Download
memory/4624-2359-0x0000000005300000-0x000000000540A000-memory.dmp

Filesize
1.0MB

Download
memory/4624-2358-0x0000000005810000-0x0000000005E28000-memory.dmp

Filesize
6.1MB

Download
memory/4624-2357-0x00000000006D0000-0x00000000006FE000-memory.dmp

Filesize
184KB

Download