amadey | 82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899

Analysis

max time kernel
140s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2023, 23:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899.exe
Size

964KB
MD5

ae99ec80ff95e91a234c69154849a761
SHA1

5f5416cf433a1b028eb6734bc1ec64f38bb3ca9e
SHA256

82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899
SHA512

725f0475d6d07e856802cc3df5e59a949085e0ba2d43602d8918f3c49dbdc718b4f50af6274f824d5978f6545a44318180df4ef1fc7849417302b8eee8a3a855
SSDEEP

24576:VyfS8Y/QcOkRRK7QUpyuZeVXpRGqhalQ7/RiCD:wbY2ORKUUguZU5wqkQ7ZiC

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it012951.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it012951.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it012951.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it012951.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it012951.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it012951.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	jr499101.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lr847141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
4212	ziSK0504.exe
1152	ziJD1155.exe
4224	it012951.exe
4332	jr499101.exe
2668	1.exe
4120	kp359428.exe
4852	lr847141.exe
1352	oneetx.exe
2024	oneetx.exe
928	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3964	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it012951.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziSK0504.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziSK0504.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziJD1155.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziJD1155.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 28 IoCs

pid	pid_target	Process	procid_target
3332	4332	WerFault.exe	93
4204	4852	WerFault.exe	100
4884	4852	WerFault.exe	100
2052	4852	WerFault.exe	100
4024	4852	WerFault.exe	100
1652	4852	WerFault.exe	100
3212	4852	WerFault.exe	100
4920	4852	WerFault.exe	100
4224	4852	WerFault.exe	100
4368	4852	WerFault.exe	100
4800	4852	WerFault.exe	100
1608	1352	WerFault.exe	119
3632	1352	WerFault.exe	119
1460	1352	WerFault.exe	119
2468	1352	WerFault.exe	119
4060	1352	WerFault.exe	119
4144	1352	WerFault.exe	119
3008	1352	WerFault.exe	119
4440	1352	WerFault.exe	119
1848	1352	WerFault.exe	119
3788	1352	WerFault.exe	119
2988	1352	WerFault.exe	119
2868	2024	WerFault.exe	146
2224	1352	WerFault.exe	119
2880	1352	WerFault.exe	119
4024	1352	WerFault.exe	119
4716	1352	WerFault.exe	119
4832	928	WerFault.exe	156

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4224	it012951.exe
4224	it012951.exe
4120	kp359428.exe
2668	1.exe
4120	kp359428.exe
2668	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4224	it012951.exe
Token: SeDebugPrivilege	4332	jr499101.exe
Token: SeDebugPrivilege	4120	kp359428.exe
Token: SeDebugPrivilege	2668	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4852	lr847141.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 4212	384	82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899.exe	84
PID 384 wrote to memory of 4212	384	82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899.exe	84
PID 384 wrote to memory of 4212	384	82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899.exe	84
PID 4212 wrote to memory of 1152	4212	ziSK0504.exe	85
PID 4212 wrote to memory of 1152	4212	ziSK0504.exe	85
PID 4212 wrote to memory of 1152	4212	ziSK0504.exe	85
PID 1152 wrote to memory of 4224	1152	ziJD1155.exe	86
PID 1152 wrote to memory of 4224	1152	ziJD1155.exe	86
PID 1152 wrote to memory of 4332	1152	ziJD1155.exe	93
PID 1152 wrote to memory of 4332	1152	ziJD1155.exe	93
PID 1152 wrote to memory of 4332	1152	ziJD1155.exe	93
PID 4332 wrote to memory of 2668	4332	jr499101.exe	95
PID 4332 wrote to memory of 2668	4332	jr499101.exe	95
PID 4332 wrote to memory of 2668	4332	jr499101.exe	95
PID 4212 wrote to memory of 4120	4212	ziSK0504.exe	98
PID 4212 wrote to memory of 4120	4212	ziSK0504.exe	98
PID 4212 wrote to memory of 4120	4212	ziSK0504.exe	98
PID 384 wrote to memory of 4852	384	82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899.exe	100
PID 384 wrote to memory of 4852	384	82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899.exe	100
PID 384 wrote to memory of 4852	384	82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899.exe	100
PID 4852 wrote to memory of 1352	4852	lr847141.exe	119
PID 4852 wrote to memory of 1352	4852	lr847141.exe	119
PID 4852 wrote to memory of 1352	4852	lr847141.exe	119
PID 1352 wrote to memory of 4984	1352	oneetx.exe	136
PID 1352 wrote to memory of 4984	1352	oneetx.exe	136
PID 1352 wrote to memory of 4984	1352	oneetx.exe	136
PID 1352 wrote to memory of 3964	1352	oneetx.exe	153
PID 1352 wrote to memory of 3964	1352	oneetx.exe	153
PID 1352 wrote to memory of 3964	1352	oneetx.exe	153

C:\Users\Admin\AppData\Local\Temp\82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899.exe
"C:\Users\Admin\AppData\Local\Temp\82e429a71a5599e1eb63a69e902f39ade97c953c2482c0b1cb3f748a68faf899.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSK0504.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSK0504.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziJD1155.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziJD1155.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it012951.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it012951.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr499101.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr499101.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1388
        5⤵
        Program crash
        
        PID:3332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp359428.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp359428.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr847141.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr847141.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 712
    3⤵
    - Program crash
    PID:4204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 764
    3⤵
    - Program crash
    PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 812
    3⤵
    - Program crash
    PID:2052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 956
    3⤵
    - Program crash
    PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 960
    3⤵
    - Program crash
    PID:1652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 960
    3⤵
    - Program crash
    PID:3212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1220
    3⤵
    - Program crash
    PID:4920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1220
    3⤵
    - Program crash
    PID:4224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1320
    3⤵
    - Program crash
    PID:4368
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 708
      4⤵
      Program crash
      PID:1608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 860
      4⤵
      Program crash
      PID:3632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 856
      4⤵
      Program crash
      PID:1460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1056
      4⤵
      Program crash
      PID:2468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1076
      4⤵
      Program crash
      PID:4060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1076
      4⤵
      Program crash
      PID:4144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1096
      4⤵
      Program crash
      PID:3008
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 996
      4⤵
      Program crash
      PID:4440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 740
      4⤵
      Program crash
      PID:1848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 864
      4⤵
      Program crash
      PID:3788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1316
      4⤵
      Program crash
      PID:2988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1140
      4⤵
      Program crash
      PID:2224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1612
      4⤵
      Program crash
      PID:2880
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1396
      4⤵
      Program crash
      PID:4024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1628
      4⤵
      Program crash
      PID:4716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1368
    3⤵
    - Program crash
    PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4332 -ip 4332
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4852 -ip 4852
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4852 -ip 4852
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4852 -ip 4852
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4852 -ip 4852
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4852 -ip 4852
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4852 -ip 4852
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4852 -ip 4852
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4852 -ip 4852
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4852 -ip 4852
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4852 -ip 4852
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1352 -ip 1352
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1352 -ip 1352
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1352 -ip 1352
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1352 -ip 1352
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1352 -ip 1352
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1352 -ip 1352
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1352 -ip 1352
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1352 -ip 1352
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1352 -ip 1352
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1352 -ip 1352
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1352 -ip 1352
1⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 428
  2⤵
  - Program crash
  PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2024 -ip 2024
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1352 -ip 1352
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1352 -ip 1352
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1352 -ip 1352
1⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 428
  2⤵
  - Program crash
  PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1352 -ip 1352
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 928 -ip 928
1⤵
PID:2444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr847141.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr847141.exe

Filesize
310KB

MD5
8c35c4b3cf812178c01e1d942c761d76

SHA1
1eda2cf7c899b2260685e209f98cf5fb9ce4f471

SHA256
eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf

SHA512
30a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSK0504.exe

Filesize
680KB

MD5
442f8e6c731fba086ec37e330a8b9af0

SHA1
27d14c9f6ccb8c835a82304e6123f74df0b15742

SHA256
5f6f7334a378823b3b42cbbde7cb171db1f3a41357f8591e35cd456220ddd42d

SHA512
dde97ee0eaafa2d2dc15def7269baf0b84f46ea02aaffb4e131f0fa6dd01b8047d19319c7ff134171358483509b40323a73ce08bb5167d0166a9e13f55446f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSK0504.exe

Filesize
680KB

MD5
442f8e6c731fba086ec37e330a8b9af0

SHA1
27d14c9f6ccb8c835a82304e6123f74df0b15742

SHA256
5f6f7334a378823b3b42cbbde7cb171db1f3a41357f8591e35cd456220ddd42d

SHA512
dde97ee0eaafa2d2dc15def7269baf0b84f46ea02aaffb4e131f0fa6dd01b8047d19319c7ff134171358483509b40323a73ce08bb5167d0166a9e13f55446f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp359428.exe

Filesize
168KB

MD5
3c119843b7289becfc9cd2cbcf3a7e83

SHA1
e1c24c94e4c40c53e13f5ee23c243f40658b133b

SHA256
394d13c0f20ae52837d78f10ca0aa0ac1472b9247760092c4ee62c851be53cf0

SHA512
3d05a4a329eb6562f1f976a76e3ea25b146d2146b580b261439c689bf0a0b80a891b79b8dd2301ddfbcd3d6f8cff9821d84ef6eab14da46c06d258334d6401d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp359428.exe

Filesize
168KB

MD5
3c119843b7289becfc9cd2cbcf3a7e83

SHA1
e1c24c94e4c40c53e13f5ee23c243f40658b133b

SHA256
394d13c0f20ae52837d78f10ca0aa0ac1472b9247760092c4ee62c851be53cf0

SHA512
3d05a4a329eb6562f1f976a76e3ea25b146d2146b580b261439c689bf0a0b80a891b79b8dd2301ddfbcd3d6f8cff9821d84ef6eab14da46c06d258334d6401d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziJD1155.exe

Filesize
526KB

MD5
2282bc8771603202a525d70575c1cb71

SHA1
1fce57df7d188b856f8d81966177cc170c914343

SHA256
60f750617fa77a592b58252d0cde5fa2468d535c93433db67c8a501d3e268eb2

SHA512
74a16603c1f8fe6de33a8c80098c4d51b9b15e32c4432f9f854577e4d4d5930bb5494d156a09585a8ca52d506ae8cb2b0cc4a77c60734d2efbf3f0ab5725df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziJD1155.exe

Filesize
526KB

MD5
2282bc8771603202a525d70575c1cb71

SHA1
1fce57df7d188b856f8d81966177cc170c914343

SHA256
60f750617fa77a592b58252d0cde5fa2468d535c93433db67c8a501d3e268eb2

SHA512
74a16603c1f8fe6de33a8c80098c4d51b9b15e32c4432f9f854577e4d4d5930bb5494d156a09585a8ca52d506ae8cb2b0cc4a77c60734d2efbf3f0ab5725df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it012951.exe

Filesize
11KB

MD5
5f64a2a01f57d248a6700e99b52972be

SHA1
147f67db162b54184348d1096d2912e27dd1532a

SHA256
961d4613d76102325b4addbb61b225a465af385bfaa252a636a4d76a62f16f4d

SHA512
e46ab5416202628054e49c45bd6652a48b8f718a32957b7e5c5f055c3b207ec0b16a8c4343873a9353895486f637796ad32f253453410414df53aec10db1e996

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it012951.exe

Filesize
11KB

MD5
5f64a2a01f57d248a6700e99b52972be

SHA1
147f67db162b54184348d1096d2912e27dd1532a

SHA256
961d4613d76102325b4addbb61b225a465af385bfaa252a636a4d76a62f16f4d

SHA512
e46ab5416202628054e49c45bd6652a48b8f718a32957b7e5c5f055c3b207ec0b16a8c4343873a9353895486f637796ad32f253453410414df53aec10db1e996

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr499101.exe

Filesize
502KB

MD5
837395adf99535ab4c3949ee22194ce5

SHA1
08af1d1bf080e815691d6a5eafb5a41c9881e018

SHA256
85e4904dd0fcdbc4374d7a30a79a2bc3b4ab37e9647dc3e69f94432cf8bad022

SHA512
cbde50da9abed8f2c40d4a63b5ebe59c44c3263d0bdf9a8c88711347279ad3681484948fae67b96b3cc90e166c7faab0c8743a33442a0d30cbe88c65ab03f967

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr499101.exe

Filesize
502KB

MD5
837395adf99535ab4c3949ee22194ce5

SHA1
08af1d1bf080e815691d6a5eafb5a41c9881e018

SHA256
85e4904dd0fcdbc4374d7a30a79a2bc3b4ab37e9647dc3e69f94432cf8bad022

SHA512
cbde50da9abed8f2c40d4a63b5ebe59c44c3263d0bdf9a8c88711347279ad3681484948fae67b96b3cc90e166c7faab0c8743a33442a0d30cbe88c65ab03f967

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/2668-2333-0x0000000005A70000-0x0000000005AE6000-memory.dmp

Filesize
472KB

Download
memory/2668-2337-0x0000000006C00000-0x0000000006DC2000-memory.dmp

Filesize
1.8MB

Download
memory/2668-2335-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/2668-2334-0x0000000005B90000-0x0000000005C22000-memory.dmp

Filesize
584KB

Download
memory/2668-2322-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/2668-2338-0x0000000009000000-0x000000000952C000-memory.dmp

Filesize
5.2MB

Download
memory/2668-2320-0x0000000000DB0000-0x0000000000DDE000-memory.dmp

Filesize
184KB

Download
memory/2668-2339-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/2668-2321-0x0000000005D70000-0x0000000006388000-memory.dmp

Filesize
6.1MB

Download
memory/2668-2326-0x0000000005790000-0x00000000057CC000-memory.dmp

Filesize
240KB

Download
memory/2668-2325-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/2668-2324-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/4120-2336-0x0000000005E40000-0x0000000005E90000-memory.dmp

Filesize
320KB

Download
memory/4120-2331-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download
memory/4120-2332-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/4120-2340-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/4224-154-0x0000000000F60000-0x0000000000F6A000-memory.dmp

Filesize
40KB

Download
memory/4332-174-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-194-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-222-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-224-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-226-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-228-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-2309-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4332-218-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-216-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-214-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-212-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-210-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-208-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-206-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-202-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-204-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-200-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-198-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-196-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-220-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-192-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-190-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-188-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-186-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-184-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-182-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-180-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-178-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-176-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-173-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4332-160-0x0000000000810000-0x000000000086B000-memory.dmp

Filesize
364KB

Download
memory/4332-170-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-171-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4332-169-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4332-167-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-165-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-163-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-162-0x0000000005240000-0x00000000052A0000-memory.dmp

Filesize
384KB

Download
memory/4332-161-0x0000000004C90000-0x0000000005234000-memory.dmp

Filesize
5.6MB

Download
memory/4852-2347-0x0000000000570000-0x00000000005AB000-memory.dmp

Filesize
236KB

Download