amadey | 3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2023, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1.exe
Size

1.1MB
MD5

feff5bb266923a9e0e4f5132847da6b6
SHA1

69d1c1f23ab3a9f63bb022e83dca6f01e86f5427
SHA256

3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1
SHA512

ee4e833735920e4b8b68fd41112958e341dc3856f08ef1a47cdeb0e443455e3dadd1d6fbb09603bbce296a42ced98702aaa5f12bd86c004f8dd1486ce73505ea
SSDEEP

24576:EyX4nRo+LqT1IBvoThhfgAEw2yA97j8zO9aZvQ5zv:TcK1IBvoFhoAF09kMGUz

Score

10^/10

amadey redline diro lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diro

185.161.248.90:4125

Attributes

auth_value
ae95bda0dd2e95169886a3a68138568b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr468317.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr468317.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr468317.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr468317.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr468317.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr468317.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	qu620799.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	si070877.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
4772	un266106.exe
1664	un824412.exe
4140	pr468317.exe
4532	qu620799.exe
2044	1.exe
1340	rk878211.exe
3656	si070877.exe
2000	oneetx.exe
3752	oneetx.exe
428	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2044	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr468317.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr468317.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un824412.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un824412.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un266106.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un266106.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 28 IoCs

pid	pid_target	Process	procid_target
220	4140	WerFault.exe	85
896	4532	WerFault.exe	88
2888	3656	WerFault.exe	94
4312	3656	WerFault.exe	94
4488	3656	WerFault.exe	94
996	3656	WerFault.exe	94
4156	3656	WerFault.exe	94
4892	3656	WerFault.exe	94
2940	3656	WerFault.exe	94
1992	3656	WerFault.exe	94
1472	3656	WerFault.exe	94
2852	2000	WerFault.exe	113
2120	2000	WerFault.exe	113
1836	2000	WerFault.exe	113
1332	2000	WerFault.exe	113
4664	2000	WerFault.exe	113
4976	2000	WerFault.exe	113
1792	2000	WerFault.exe	113
4416	2000	WerFault.exe	113
412	2000	WerFault.exe	113
4244	2000	WerFault.exe	113
416	2000	WerFault.exe	113
3480	3656	WerFault.exe	94
2576	2000	WerFault.exe	113
5076	3752	WerFault.exe	142
2500	2000	WerFault.exe	113
4716	2000	WerFault.exe	113
3748	2000	WerFault.exe	113

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4140	pr468317.exe
4140	pr468317.exe
1340	rk878211.exe
2044	1.exe
1340	rk878211.exe
2044	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	pr468317.exe
Token: SeDebugPrivilege	4532	qu620799.exe
Token: SeDebugPrivilege	1340	rk878211.exe
Token: SeDebugPrivilege	2044	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3656	si070877.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 4772	4460	3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1.exe	83
PID 4460 wrote to memory of 4772	4460	3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1.exe	83
PID 4460 wrote to memory of 4772	4460	3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1.exe	83
PID 4772 wrote to memory of 1664	4772	un266106.exe	84
PID 4772 wrote to memory of 1664	4772	un266106.exe	84
PID 4772 wrote to memory of 1664	4772	un266106.exe	84
PID 1664 wrote to memory of 4140	1664	un824412.exe	85
PID 1664 wrote to memory of 4140	1664	un824412.exe	85
PID 1664 wrote to memory of 4140	1664	un824412.exe	85
PID 1664 wrote to memory of 4532	1664	un824412.exe	88
PID 1664 wrote to memory of 4532	1664	un824412.exe	88
PID 1664 wrote to memory of 4532	1664	un824412.exe	88
PID 4532 wrote to memory of 2044	4532	qu620799.exe	89
PID 4532 wrote to memory of 2044	4532	qu620799.exe	89
PID 4532 wrote to memory of 2044	4532	qu620799.exe	89
PID 4772 wrote to memory of 1340	4772	un266106.exe	92
PID 4772 wrote to memory of 1340	4772	un266106.exe	92
PID 4772 wrote to memory of 1340	4772	un266106.exe	92
PID 4460 wrote to memory of 3656	4460	3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1.exe	94
PID 4460 wrote to memory of 3656	4460	3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1.exe	94
PID 4460 wrote to memory of 3656	4460	3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1.exe	94
PID 3656 wrote to memory of 2000	3656	si070877.exe	113
PID 3656 wrote to memory of 2000	3656	si070877.exe	113
PID 3656 wrote to memory of 2000	3656	si070877.exe	113
PID 2000 wrote to memory of 5036	2000	oneetx.exe	128
PID 2000 wrote to memory of 5036	2000	oneetx.exe	128
PID 2000 wrote to memory of 5036	2000	oneetx.exe	128
PID 2000 wrote to memory of 2044	2000	oneetx.exe	147
PID 2000 wrote to memory of 2044	2000	oneetx.exe	147
PID 2000 wrote to memory of 2044	2000	oneetx.exe	147

C:\Users\Admin\AppData\Local\Temp\3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1.exe
"C:\Users\Admin\AppData\Local\Temp\3fa34a98ea6815143287f2b6bca832224e953f16e96eca90df339dddc4675ab1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un266106.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un266106.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un824412.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un824412.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr468317.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr468317.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1080
        5⤵
        Program crash
        
        PID:220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu620799.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu620799.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1328
        5⤵
        Program crash
        
        PID:896
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk878211.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk878211.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si070877.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si070877.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 696
    3⤵
    - Program crash
    PID:2888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 780
    3⤵
    - Program crash
    PID:4312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 812
    3⤵
    - Program crash
    PID:4488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 972
    3⤵
    - Program crash
    PID:996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 952
    3⤵
    - Program crash
    PID:4156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 988
    3⤵
    - Program crash
    PID:4892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1208
    3⤵
    - Program crash
    PID:2940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1240
    3⤵
    - Program crash
    PID:1992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1320
    3⤵
    - Program crash
    PID:1472
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 692
      4⤵
      Program crash
      PID:2852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 852
      4⤵
      Program crash
      PID:2120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 912
      4⤵
      Program crash
      PID:1836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1052
      4⤵
      Program crash
      PID:1332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1072
      4⤵
      Program crash
      PID:4664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1052
      4⤵
      Program crash
      PID:4976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1096
      4⤵
      Program crash
      PID:1792
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 996
      4⤵
      Program crash
      PID:4416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 776
      4⤵
      Program crash
      PID:412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 744
      4⤵
      Program crash
      PID:4244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 756
      4⤵
      Program crash
      PID:416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1100
      4⤵
      Program crash
      PID:2576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1612
      4⤵
      Program crash
      PID:2500
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1388
      4⤵
      Program crash
      PID:4716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1636
      4⤵
      Program crash
      PID:3748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 712
    3⤵
    - Program crash
    PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4140 -ip 4140
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4532 -ip 4532
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3656 -ip 3656
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3656 -ip 3656
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3656 -ip 3656
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3656 -ip 3656
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3656 -ip 3656
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3656 -ip 3656
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3656 -ip 3656
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3656 -ip 3656
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3656 -ip 3656
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2000 -ip 2000
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2000 -ip 2000
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2000 -ip 2000
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2000 -ip 2000
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2000 -ip 2000
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2000 -ip 2000
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2000 -ip 2000
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2000 -ip 2000
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2000 -ip 2000
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2000 -ip 2000
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2000 -ip 2000
1⤵
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3656 -ip 3656
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2000 -ip 2000
1⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:3752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 320
  2⤵
  - Program crash
  PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3752 -ip 3752
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2000 -ip 2000
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2000 -ip 2000
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2000 -ip 2000
1⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
253KB

MD5
ccf548678a6b0c7fa4eb57c8c8d68d8a

SHA1
cee33b5a6f8d99181c7f763472e2518f690015d2

SHA256
56c2b6454635520e95bf5040b0bb9cfe1f6c2fb9503bd12790aacfe1250ec8fc

SHA512
99fe9d93284a80ea536a2456c843a165ee03123d914a9f68e066de1bb432dedb2a48f258286b27c5621e36684b10b6630b3498e110844ca238bcaf260878317b

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
253KB

MD5
ccf548678a6b0c7fa4eb57c8c8d68d8a

SHA1
cee33b5a6f8d99181c7f763472e2518f690015d2

SHA256
56c2b6454635520e95bf5040b0bb9cfe1f6c2fb9503bd12790aacfe1250ec8fc

SHA512
99fe9d93284a80ea536a2456c843a165ee03123d914a9f68e066de1bb432dedb2a48f258286b27c5621e36684b10b6630b3498e110844ca238bcaf260878317b

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
253KB

MD5
ccf548678a6b0c7fa4eb57c8c8d68d8a

SHA1
cee33b5a6f8d99181c7f763472e2518f690015d2

SHA256
56c2b6454635520e95bf5040b0bb9cfe1f6c2fb9503bd12790aacfe1250ec8fc

SHA512
99fe9d93284a80ea536a2456c843a165ee03123d914a9f68e066de1bb432dedb2a48f258286b27c5621e36684b10b6630b3498e110844ca238bcaf260878317b

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
253KB

MD5
ccf548678a6b0c7fa4eb57c8c8d68d8a

SHA1
cee33b5a6f8d99181c7f763472e2518f690015d2

SHA256
56c2b6454635520e95bf5040b0bb9cfe1f6c2fb9503bd12790aacfe1250ec8fc

SHA512
99fe9d93284a80ea536a2456c843a165ee03123d914a9f68e066de1bb432dedb2a48f258286b27c5621e36684b10b6630b3498e110844ca238bcaf260878317b

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
253KB

MD5
ccf548678a6b0c7fa4eb57c8c8d68d8a

SHA1
cee33b5a6f8d99181c7f763472e2518f690015d2

SHA256
56c2b6454635520e95bf5040b0bb9cfe1f6c2fb9503bd12790aacfe1250ec8fc

SHA512
99fe9d93284a80ea536a2456c843a165ee03123d914a9f68e066de1bb432dedb2a48f258286b27c5621e36684b10b6630b3498e110844ca238bcaf260878317b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si070877.exe

Filesize
253KB

MD5
ccf548678a6b0c7fa4eb57c8c8d68d8a

SHA1
cee33b5a6f8d99181c7f763472e2518f690015d2

SHA256
56c2b6454635520e95bf5040b0bb9cfe1f6c2fb9503bd12790aacfe1250ec8fc

SHA512
99fe9d93284a80ea536a2456c843a165ee03123d914a9f68e066de1bb432dedb2a48f258286b27c5621e36684b10b6630b3498e110844ca238bcaf260878317b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si070877.exe

Filesize
253KB

MD5
ccf548678a6b0c7fa4eb57c8c8d68d8a

SHA1
cee33b5a6f8d99181c7f763472e2518f690015d2

SHA256
56c2b6454635520e95bf5040b0bb9cfe1f6c2fb9503bd12790aacfe1250ec8fc

SHA512
99fe9d93284a80ea536a2456c843a165ee03123d914a9f68e066de1bb432dedb2a48f258286b27c5621e36684b10b6630b3498e110844ca238bcaf260878317b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un266106.exe

Filesize
809KB

MD5
096a38654f4bf1364e87790a0eb6c6cb

SHA1
c466bfb979ad670707596ceaf09b5ae7089d185e

SHA256
9fe0acf8e259cbf8e037b569f1f8e7d94c93c00fd2e239bfd9e1dbe7b7af9209

SHA512
e9076745846e5380bddd01f2cf408da80164514d3276d287947aa00e846c8d44d18460a0130a163a0ca834be65483424b74774920a1ffa781e0d1847a695411c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un266106.exe

Filesize
809KB

MD5
096a38654f4bf1364e87790a0eb6c6cb

SHA1
c466bfb979ad670707596ceaf09b5ae7089d185e

SHA256
9fe0acf8e259cbf8e037b569f1f8e7d94c93c00fd2e239bfd9e1dbe7b7af9209

SHA512
e9076745846e5380bddd01f2cf408da80164514d3276d287947aa00e846c8d44d18460a0130a163a0ca834be65483424b74774920a1ffa781e0d1847a695411c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk878211.exe

Filesize
168KB

MD5
ec9f6b853bc8baaa7f4acdd084303852

SHA1
1007ff34167e0870c7f225199db1f9706c088d01

SHA256
190188f6bb9dbdc2a4ec1746a1829db8fd19ece7ac27c0c5f45a8afb6c32fef5

SHA512
705d9b99e299ebb2c9e85d802e88a4ac4ba395bbd4c2b925d0f185f195683d0d66b1378391c15a017dff72a65c5361bf7d891e496e832bcf8fef75c02693f13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk878211.exe

Filesize
168KB

MD5
ec9f6b853bc8baaa7f4acdd084303852

SHA1
1007ff34167e0870c7f225199db1f9706c088d01

SHA256
190188f6bb9dbdc2a4ec1746a1829db8fd19ece7ac27c0c5f45a8afb6c32fef5

SHA512
705d9b99e299ebb2c9e85d802e88a4ac4ba395bbd4c2b925d0f185f195683d0d66b1378391c15a017dff72a65c5361bf7d891e496e832bcf8fef75c02693f13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un824412.exe

Filesize
656KB

MD5
9ac0eb162867876ffaf612e04a8ce5b3

SHA1
130ba39b137674e6f514f6d43c79b8302f62e224

SHA256
4f4c88154e6ee7c5fd7bdf05ff0c5fe5d4a01de85b61bed1107c7607f2ce6211

SHA512
6c7626a73389b65baec947a134a9f425fb0acb310b0e31e7c8c603bbd26074af18e2b6ce65a608b351b6e1b242633cff2b876e9554c5372ce1b1634a4cdc543c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un824412.exe

Filesize
656KB

MD5
9ac0eb162867876ffaf612e04a8ce5b3

SHA1
130ba39b137674e6f514f6d43c79b8302f62e224

SHA256
4f4c88154e6ee7c5fd7bdf05ff0c5fe5d4a01de85b61bed1107c7607f2ce6211

SHA512
6c7626a73389b65baec947a134a9f425fb0acb310b0e31e7c8c603bbd26074af18e2b6ce65a608b351b6e1b242633cff2b876e9554c5372ce1b1634a4cdc543c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr468317.exe

Filesize
261KB

MD5
4f5d5c220c9c4b8b30c3b4d2b72d2daf

SHA1
c1ca496ed133b768eb90852d7e620d70532597ba

SHA256
1acad2dbc0dc9d4124b983456b52dd347d8d4640b475957e300262d453df779b

SHA512
fa4b4e3948cef4603b7b6159d8f5bb96cc9fc6b5017ab5c4796db7ed0a7ebd9ee848cf91a4c2db8c21b6e6f8050124eae8fc1efc5ebf8259c76714650fee9649

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr468317.exe

Filesize
261KB

MD5
4f5d5c220c9c4b8b30c3b4d2b72d2daf

SHA1
c1ca496ed133b768eb90852d7e620d70532597ba

SHA256
1acad2dbc0dc9d4124b983456b52dd347d8d4640b475957e300262d453df779b

SHA512
fa4b4e3948cef4603b7b6159d8f5bb96cc9fc6b5017ab5c4796db7ed0a7ebd9ee848cf91a4c2db8c21b6e6f8050124eae8fc1efc5ebf8259c76714650fee9649

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu620799.exe

Filesize
445KB

MD5
e252c3f1842c602c0be25c5b5f7d81ba

SHA1
bf27b974b041a7fbafb563838e2aaf6b2fed0a4b

SHA256
dd15ca0e5d0d1b474ae0979018a33e630b7123e8ffe1a1eeb8913b550dde9e94

SHA512
ce7d34dc0885275ab369867c8f235ef7acd41c2fd0abdd4a47f79c429e344854a49a9f4b5be7e3f42e67f5ee2399b8124a89669379882c2367d8ca77a0ab3771

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu620799.exe

Filesize
445KB

MD5
e252c3f1842c602c0be25c5b5f7d81ba

SHA1
bf27b974b041a7fbafb563838e2aaf6b2fed0a4b

SHA256
dd15ca0e5d0d1b474ae0979018a33e630b7123e8ffe1a1eeb8913b550dde9e94

SHA512
ce7d34dc0885275ab369867c8f235ef7acd41c2fd0abdd4a47f79c429e344854a49a9f4b5be7e3f42e67f5ee2399b8124a89669379882c2367d8ca77a0ab3771

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/1340-2372-0x0000000007750000-0x0000000007C7C000-memory.dmp

Filesize
5.2MB

Download
memory/1340-2373-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/1340-2371-0x00000000063A0000-0x0000000006562000-memory.dmp

Filesize
1.8MB

Download
memory/1340-2368-0x0000000005210000-0x0000000005286000-memory.dmp

Filesize
472KB

Download
memory/1340-2366-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/1340-2365-0x0000000000550000-0x0000000000580000-memory.dmp

Filesize
192KB

Download
memory/2044-2375-0x0000000006500000-0x0000000006550000-memory.dmp

Filesize
320KB

Download
memory/2044-2374-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2044-2367-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2044-2361-0x00000000050E0000-0x000000000511C000-memory.dmp

Filesize
240KB

Download
memory/2044-2359-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/2044-2358-0x0000000005270000-0x000000000537A000-memory.dmp

Filesize
1.0MB

Download
memory/2044-2357-0x0000000005780000-0x0000000005D98000-memory.dmp

Filesize
6.1MB

Download
memory/2044-2356-0x0000000000730000-0x000000000075E000-memory.dmp

Filesize
184KB

Download
memory/2044-2369-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/2044-2370-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/3656-2382-0x0000000000630000-0x000000000066B000-memory.dmp

Filesize
236KB

Download
memory/4140-181-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-167-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-155-0x0000000004C40000-0x00000000051E4000-memory.dmp

Filesize
5.6MB

Download
memory/4140-156-0x0000000000610000-0x000000000063D000-memory.dmp

Filesize
180KB

Download
memory/4140-157-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4140-159-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4140-158-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4140-160-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-161-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-163-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-165-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-192-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4140-169-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-171-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-173-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-175-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-177-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-179-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-183-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-185-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-187-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4140-188-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4140-189-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4140-190-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4532-317-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4532-197-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-198-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-202-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-200-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-204-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-206-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-208-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-210-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-212-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-214-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-2344-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4532-216-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-319-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4532-313-0x0000000000630000-0x000000000068B000-memory.dmp

Filesize
364KB

Download
memory/4532-315-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4532-230-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-228-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-226-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-224-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-222-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-220-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download
memory/4532-218-0x0000000004C10000-0x0000000004C70000-memory.dmp

Filesize
384KB

Download