amadey | 1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a

Analysis

max time kernel
160s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2023, 15:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a.exe
Size

1.1MB
MD5

989b1c35fb92ceafc9efb07032cd62c2
SHA1

a64e75185ac4dee2046e332c893138178e903b77
SHA256

1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a
SHA512

ab2573ddf548eb094b982bce4214e8976ce05c8cbc8e44a70e0c823b5648b32643157b38575be1d3bb674165e96479cad89d2f72d96308998ec414b0ad3483d9
SSDEEP

24576:0yPxiXhjj1qs4ugaU88Cf68dBH8bdK/ZyFxVKpyE3oC:DIVj1N4D5ZcBH1/ZAi/o

Score

10^/10

amadey redline diro lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diro

185.161.248.90:4125

Attributes

auth_value
ae95bda0dd2e95169886a3a68138568b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr077489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr077489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr077489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr077489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr077489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr077489.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	qu860988.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	si604770.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
1176	un881677.exe
2016	un887158.exe
5092	pr077489.exe
2212	qu860988.exe
3576	1.exe
844	rk722334.exe
2668	si604770.exe
3108	oneetx.exe
4760	oneetx.exe
3600	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
1460	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr077489.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr077489.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un881677.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un881677.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un887158.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un887158.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 28 IoCs

pid	pid_target	Process	procid_target
2624	5092	WerFault.exe	85
3036	2212	WerFault.exe	95
2984	2668	WerFault.exe	102
3100	2668	WerFault.exe	102
3124	2668	WerFault.exe	102
3820	2668	WerFault.exe	102
1004	2668	WerFault.exe	102
2948	2668	WerFault.exe	102
3924	2668	WerFault.exe	102
1484	2668	WerFault.exe	102
3704	2668	WerFault.exe	102
3912	2668	WerFault.exe	102
1852	3108	WerFault.exe	121
1620	3108	WerFault.exe	121
4860	3108	WerFault.exe	121
5004	3108	WerFault.exe	121
1868	3108	WerFault.exe	121
2056	3108	WerFault.exe	121
2504	3108	WerFault.exe	121
8	3108	WerFault.exe	121
1844	3108	WerFault.exe	121
3104	3108	WerFault.exe	121
4016	3108	WerFault.exe	121
1620	3108	WerFault.exe	121
4136	4760	WerFault.exe	157
4756	3108	WerFault.exe	121
3136	3108	WerFault.exe	121
4596	3108	WerFault.exe	121

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5092	pr077489.exe
5092	pr077489.exe
3576	1.exe
3576	1.exe
844	rk722334.exe
844	rk722334.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	pr077489.exe
Token: SeDebugPrivilege	2212	qu860988.exe
Token: SeDebugPrivilege	3576	1.exe
Token: SeDebugPrivilege	844	rk722334.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2668	si604770.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 1176	4000	1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a.exe	83
PID 4000 wrote to memory of 1176	4000	1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a.exe	83
PID 4000 wrote to memory of 1176	4000	1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a.exe	83
PID 1176 wrote to memory of 2016	1176	un881677.exe	84
PID 1176 wrote to memory of 2016	1176	un881677.exe	84
PID 1176 wrote to memory of 2016	1176	un881677.exe	84
PID 2016 wrote to memory of 5092	2016	un887158.exe	85
PID 2016 wrote to memory of 5092	2016	un887158.exe	85
PID 2016 wrote to memory of 5092	2016	un887158.exe	85
PID 2016 wrote to memory of 2212	2016	un887158.exe	95
PID 2016 wrote to memory of 2212	2016	un887158.exe	95
PID 2016 wrote to memory of 2212	2016	un887158.exe	95
PID 2212 wrote to memory of 3576	2212	qu860988.exe	98
PID 2212 wrote to memory of 3576	2212	qu860988.exe	98
PID 2212 wrote to memory of 3576	2212	qu860988.exe	98
PID 1176 wrote to memory of 844	1176	un881677.exe	101
PID 1176 wrote to memory of 844	1176	un881677.exe	101
PID 1176 wrote to memory of 844	1176	un881677.exe	101
PID 4000 wrote to memory of 2668	4000	1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a.exe	102
PID 4000 wrote to memory of 2668	4000	1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a.exe	102
PID 4000 wrote to memory of 2668	4000	1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a.exe	102
PID 2668 wrote to memory of 3108	2668	si604770.exe	121
PID 2668 wrote to memory of 3108	2668	si604770.exe	121
PID 2668 wrote to memory of 3108	2668	si604770.exe	121
PID 3108 wrote to memory of 1332	3108	oneetx.exe	138
PID 3108 wrote to memory of 1332	3108	oneetx.exe	138
PID 3108 wrote to memory of 1332	3108	oneetx.exe	138
PID 3108 wrote to memory of 1460	3108	oneetx.exe	170
PID 3108 wrote to memory of 1460	3108	oneetx.exe	170
PID 3108 wrote to memory of 1460	3108	oneetx.exe	170

C:\Users\Admin\AppData\Local\Temp\1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a.exe
"C:\Users\Admin\AppData\Local\Temp\1d7fdbafe74b98676eed22cffe63d1bc29a6047c04fc6bd4bb1bf04f02dc037a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un881677.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un881677.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un887158.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un887158.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr077489.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr077489.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1104
        5⤵
        Program crash
        
        PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860988.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860988.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3576
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1368
        5⤵
        Program crash
        
        PID:3036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk722334.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk722334.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si604770.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si604770.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 696
    3⤵
    - Program crash
    PID:2984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 780
    3⤵
    - Program crash
    PID:3100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 856
    3⤵
    - Program crash
    PID:3124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 952
    3⤵
    - Program crash
    PID:3820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 988
    3⤵
    - Program crash
    PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 988
    3⤵
    - Program crash
    PID:2948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1216
    3⤵
    - Program crash
    PID:3924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1228
    3⤵
    - Program crash
    PID:1484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1312
    3⤵
    - Program crash
    PID:3704
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 692
      4⤵
      Program crash
      PID:1852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 844
      4⤵
      Program crash
      PID:1620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 892
      4⤵
      Program crash
      PID:4860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1060
      4⤵
      Program crash
      PID:5004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1096
      4⤵
      Program crash
      PID:1868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1096
      4⤵
      Program crash
      PID:2056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1060
      4⤵
      Program crash
      PID:2504
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 992
      4⤵
      Program crash
      PID:8
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1320
      4⤵
      Program crash
      PID:1844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1340
      4⤵
      Program crash
      PID:3104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1308
      4⤵
      Program crash
      PID:4016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1084
      4⤵
      Program crash
      PID:1620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1084
      4⤵
      Program crash
      PID:4756
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1544
      4⤵
      Program crash
      PID:3136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1620
      4⤵
      Program crash
      PID:4596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1336
    3⤵
    - Program crash
    PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5092 -ip 5092
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2212 -ip 2212
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2668 -ip 2668
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2668 -ip 2668
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2668 -ip 2668
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2668 -ip 2668
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2668 -ip 2668
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2668 -ip 2668
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2668 -ip 2668
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2668 -ip 2668
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2668 -ip 2668
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2668 -ip 2668
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3108 -ip 3108
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3108 -ip 3108
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3108 -ip 3108
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3108 -ip 3108
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3108 -ip 3108
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3108 -ip 3108
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3108 -ip 3108
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3108 -ip 3108
1⤵
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3108 -ip 3108
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3108 -ip 3108
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3108 -ip 3108
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3108 -ip 3108
1⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 312
  2⤵
  - Program crash
  PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4760 -ip 4760
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3108 -ip 3108
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3108 -ip 3108
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3108 -ip 3108
1⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:3600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
309KB

MD5
36d2dec496e84a6fea85386654562c7f

SHA1
f72ca2fe77224156465c65b91aba219992fd6b60

SHA256
295cfdd068a249427bdbf1c1b30e7dc615371e9f82fd9d089e923ad5c9762f64

SHA512
40f16d47e9c7ed384d4ef8ae39a6a29f6dff3b08b51860d3362ecedab905265ccc180ff1578c0861a772b16638ab7deaf3731703ea10624166890a7c3cd96592

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
309KB

MD5
36d2dec496e84a6fea85386654562c7f

SHA1
f72ca2fe77224156465c65b91aba219992fd6b60

SHA256
295cfdd068a249427bdbf1c1b30e7dc615371e9f82fd9d089e923ad5c9762f64

SHA512
40f16d47e9c7ed384d4ef8ae39a6a29f6dff3b08b51860d3362ecedab905265ccc180ff1578c0861a772b16638ab7deaf3731703ea10624166890a7c3cd96592

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
309KB

MD5
36d2dec496e84a6fea85386654562c7f

SHA1
f72ca2fe77224156465c65b91aba219992fd6b60

SHA256
295cfdd068a249427bdbf1c1b30e7dc615371e9f82fd9d089e923ad5c9762f64

SHA512
40f16d47e9c7ed384d4ef8ae39a6a29f6dff3b08b51860d3362ecedab905265ccc180ff1578c0861a772b16638ab7deaf3731703ea10624166890a7c3cd96592

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
309KB

MD5
36d2dec496e84a6fea85386654562c7f

SHA1
f72ca2fe77224156465c65b91aba219992fd6b60

SHA256
295cfdd068a249427bdbf1c1b30e7dc615371e9f82fd9d089e923ad5c9762f64

SHA512
40f16d47e9c7ed384d4ef8ae39a6a29f6dff3b08b51860d3362ecedab905265ccc180ff1578c0861a772b16638ab7deaf3731703ea10624166890a7c3cd96592

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
309KB

MD5
36d2dec496e84a6fea85386654562c7f

SHA1
f72ca2fe77224156465c65b91aba219992fd6b60

SHA256
295cfdd068a249427bdbf1c1b30e7dc615371e9f82fd9d089e923ad5c9762f64

SHA512
40f16d47e9c7ed384d4ef8ae39a6a29f6dff3b08b51860d3362ecedab905265ccc180ff1578c0861a772b16638ab7deaf3731703ea10624166890a7c3cd96592

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si604770.exe

Filesize
309KB

MD5
36d2dec496e84a6fea85386654562c7f

SHA1
f72ca2fe77224156465c65b91aba219992fd6b60

SHA256
295cfdd068a249427bdbf1c1b30e7dc615371e9f82fd9d089e923ad5c9762f64

SHA512
40f16d47e9c7ed384d4ef8ae39a6a29f6dff3b08b51860d3362ecedab905265ccc180ff1578c0861a772b16638ab7deaf3731703ea10624166890a7c3cd96592

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si604770.exe

Filesize
309KB

MD5
36d2dec496e84a6fea85386654562c7f

SHA1
f72ca2fe77224156465c65b91aba219992fd6b60

SHA256
295cfdd068a249427bdbf1c1b30e7dc615371e9f82fd9d089e923ad5c9762f64

SHA512
40f16d47e9c7ed384d4ef8ae39a6a29f6dff3b08b51860d3362ecedab905265ccc180ff1578c0861a772b16638ab7deaf3731703ea10624166890a7c3cd96592

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un881677.exe

Filesize
818KB

MD5
dff8782e7308b3328927fdf8870622e0

SHA1
404ae1799deb662a6705db31478dc53e3b5330e6

SHA256
883c8a56c11fb9a76092606ce45b570b50847a0885f05bd3e285f8d230706d05

SHA512
ac1a8a02c3a8af8b9b642f8a8e2369120aa7ca0dc4d3468fe18b36a9ba372613f60043f63b3f4d5d875f76e8b8adaf1417b7afc690de23e14a23f11b288d4ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un881677.exe

Filesize
818KB

MD5
dff8782e7308b3328927fdf8870622e0

SHA1
404ae1799deb662a6705db31478dc53e3b5330e6

SHA256
883c8a56c11fb9a76092606ce45b570b50847a0885f05bd3e285f8d230706d05

SHA512
ac1a8a02c3a8af8b9b642f8a8e2369120aa7ca0dc4d3468fe18b36a9ba372613f60043f63b3f4d5d875f76e8b8adaf1417b7afc690de23e14a23f11b288d4ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk722334.exe

Filesize
168KB

MD5
a547e2257a3d04866e672ce45f752164

SHA1
47c9ca9c1c582a011dbdcfbf0dd269753f2da7f0

SHA256
192d510ad8b36a6b14a12b3df0f06cd4aea48506e168d4cffc74ea8fd0d1d093

SHA512
e3c98121b2e1fa19c8561e9942127cf8ca8e28523ce599ebd245eb019162471f607a89087cd1128458306b33e9cf39b262cb44190f775b94069aaa69bc29cd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk722334.exe

Filesize
168KB

MD5
a547e2257a3d04866e672ce45f752164

SHA1
47c9ca9c1c582a011dbdcfbf0dd269753f2da7f0

SHA256
192d510ad8b36a6b14a12b3df0f06cd4aea48506e168d4cffc74ea8fd0d1d093

SHA512
e3c98121b2e1fa19c8561e9942127cf8ca8e28523ce599ebd245eb019162471f607a89087cd1128458306b33e9cf39b262cb44190f775b94069aaa69bc29cd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un887158.exe

Filesize
664KB

MD5
373af907588bc7154433e312c57d43e3

SHA1
268f08e094d13c6eb591eb0322063c13b78386d8

SHA256
14fab17b0b4ebb2c87037c6c7f34968e408af915a15822e3f451a33cb9cc0383

SHA512
bd3c417b0a48adc05b38b8b95d11da4626b578dcae5c3c31ed589999800d06f00b7fa7083faae6af186940ec6249aa25eff518f3b90657ed94f12654cdc4bdc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un887158.exe

Filesize
664KB

MD5
373af907588bc7154433e312c57d43e3

SHA1
268f08e094d13c6eb591eb0322063c13b78386d8

SHA256
14fab17b0b4ebb2c87037c6c7f34968e408af915a15822e3f451a33cb9cc0383

SHA512
bd3c417b0a48adc05b38b8b95d11da4626b578dcae5c3c31ed589999800d06f00b7fa7083faae6af186940ec6249aa25eff518f3b90657ed94f12654cdc4bdc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr077489.exe

Filesize
317KB

MD5
d81baf05d0e9b05e7f1e41478c82dcd6

SHA1
09c4654559f2f1c30264abe2d6401b980b9185f1

SHA256
3a8d8de435619f6e394114a3eb5bde5c13f5f850138d25c1dca2a6ba6e7107a1

SHA512
4004132ac075192eb7deb5dbdde1a19d2e170228115a1311b98874a463e15c71fb8770e00900da728ad4ec7590dd63fe4a3300b71deef047f7989a0fb51a049d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr077489.exe

Filesize
317KB

MD5
d81baf05d0e9b05e7f1e41478c82dcd6

SHA1
09c4654559f2f1c30264abe2d6401b980b9185f1

SHA256
3a8d8de435619f6e394114a3eb5bde5c13f5f850138d25c1dca2a6ba6e7107a1

SHA512
4004132ac075192eb7deb5dbdde1a19d2e170228115a1311b98874a463e15c71fb8770e00900da728ad4ec7590dd63fe4a3300b71deef047f7989a0fb51a049d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860988.exe

Filesize
501KB

MD5
44951dc20873ea9bf64ac644b62b3c35

SHA1
94f1685e7d803567da7be33a73c58f8112990ee7

SHA256
10910c0c3da4ce497b0f7a63b29b066d994a4ae403bc591c8c96fba6ae9c119a

SHA512
3ecc38627d3c5a6d32802adcb0c05da88b39f09fd768e22e5aa3996a970d9bc18cbf359754cf8770cf80182b36a8466a98a9720aec38fcd774d735bb5948b762

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860988.exe

Filesize
501KB

MD5
44951dc20873ea9bf64ac644b62b3c35

SHA1
94f1685e7d803567da7be33a73c58f8112990ee7

SHA256
10910c0c3da4ce497b0f7a63b29b066d994a4ae403bc591c8c96fba6ae9c119a

SHA512
3ecc38627d3c5a6d32802adcb0c05da88b39f09fd768e22e5aa3996a970d9bc18cbf359754cf8770cf80182b36a8466a98a9720aec38fcd774d735bb5948b762

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/844-2367-0x0000000000EA0000-0x0000000000ED0000-memory.dmp

Filesize
192KB

Download
memory/844-2368-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/844-2369-0x0000000005B60000-0x0000000005BD6000-memory.dmp

Filesize
472KB

Download
memory/844-2374-0x0000000006B20000-0x0000000006B70000-memory.dmp

Filesize
320KB

Download
memory/2212-215-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-204-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-229-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-2357-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

Filesize
64KB

Download
memory/2212-235-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-198-0x0000000000640000-0x000000000069B000-memory.dmp

Filesize
364KB

Download
memory/2212-199-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-201-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-200-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

Filesize
64KB

Download
memory/2212-203-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

Filesize
64KB

Download
memory/2212-205-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

Filesize
64KB

Download
memory/2212-231-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-207-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-209-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-211-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-213-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-233-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-217-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-219-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-221-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-223-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-225-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2212-227-0x0000000005270000-0x00000000052D0000-memory.dmp

Filesize
384KB

Download
memory/2668-2382-0x0000000000540000-0x000000000057B000-memory.dmp

Filesize
236KB

Download
memory/3576-2371-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/3576-2362-0x0000000005810000-0x000000000584C000-memory.dmp

Filesize
240KB

Download
memory/3576-2375-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/3576-2373-0x0000000009020000-0x000000000954C000-memory.dmp

Filesize
5.2MB

Download
memory/3576-2372-0x0000000006C40000-0x0000000006E02000-memory.dmp

Filesize
1.8MB

Download
memory/3576-2370-0x0000000005C40000-0x0000000005CD2000-memory.dmp

Filesize
584KB

Download
memory/3576-2356-0x0000000000E60000-0x0000000000E8E000-memory.dmp

Filesize
184KB

Download
memory/3576-2366-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/3576-2358-0x0000000005D90000-0x00000000063A8000-memory.dmp

Filesize
6.1MB

Download
memory/3576-2359-0x0000000005880000-0x000000000598A000-memory.dmp

Filesize
1.0MB

Download
memory/3576-2360-0x00000000057B0000-0x00000000057C2000-memory.dmp

Filesize
72KB

Download
memory/5092-178-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-172-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-182-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-180-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-191-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/5092-176-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-188-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5092-185-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/5092-192-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/5092-186-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/5092-187-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/5092-174-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-190-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/5092-184-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-170-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-193-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5092-168-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-166-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-164-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-162-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-160-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-158-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-157-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/5092-156-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/5092-155-0x00000000007D0000-0x00000000007FD000-memory.dmp

Filesize
180KB

Download