amadey | eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2023, 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1.exe
Size

1.0MB
MD5

d251cf6bed12dca1692352f1d3fd99eb
SHA1

6f772941a308959e47aab14ab6e4942a39ea6af3
SHA256

eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1
SHA512

7369b1178074ef9fd86108b014e79905f5e838be5e0f4479b7abd05517001806d0cbdd3c87f4406785d66bf24c2db14781f180b6f9662200c0790781de479ed0
SSDEEP

24576:1y1x0SmYRHD3sFaDBqf3Ttolb146MFzLslGK95:QQ0Ra5kJ4RyG

Score

10^/10

amadey redline disa lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

185.161.248.90:4125

Attributes

auth_value
93f8c4ca7000e3381dd4b6b86434de05

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it475004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it475004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it475004.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it475004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it475004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it475004.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	jr588635.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lr954655.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
4720	zinG4381.exe
4112	zicJ6607.exe
1180	it475004.exe
4828	jr588635.exe
1476	1.exe
3040	kp006003.exe
3360	lr954655.exe
2800	oneetx.exe
1240	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4740	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it475004.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zinG4381.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zinG4381.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zicJ6607.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zicJ6607.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3544	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
836	4828	WerFault.exe	91
936	3360	WerFault.exe	97
1324	3360	WerFault.exe	97
224	3360	WerFault.exe	97
4260	3360	WerFault.exe	97
1996	3360	WerFault.exe	97
4884	3360	WerFault.exe	97
968	3360	WerFault.exe	97
4432	3360	WerFault.exe	97
720	3360	WerFault.exe	97
2168	3360	WerFault.exe	97
3756	2800	WerFault.exe	119
1416	2800	WerFault.exe	119
404	2800	WerFault.exe	119
2144	2800	WerFault.exe	119
4512	2800	WerFault.exe	119
4900	2800	WerFault.exe	119
3372	2800	WerFault.exe	119
1628	2800	WerFault.exe	119
4936	2800	WerFault.exe	119
4824	2800	WerFault.exe	119
2580	2800	WerFault.exe	119
1540	2800	WerFault.exe	119
1176	2800	WerFault.exe	119
1008	2800	WerFault.exe	119
4692	1240	WerFault.exe	149
3972	1240	WerFault.exe	149
820	1240	WerFault.exe	149
4044	2800	WerFault.exe	119

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1180	it475004.exe
1180	it475004.exe
3040	kp006003.exe
1476	1.exe
1476	1.exe
3040	kp006003.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	it475004.exe
Token: SeDebugPrivilege	4828	jr588635.exe
Token: SeDebugPrivilege	3040	kp006003.exe
Token: SeDebugPrivilege	1476	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3360	lr954655.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 4720	1620	eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1.exe	85
PID 1620 wrote to memory of 4720	1620	eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1.exe	85
PID 1620 wrote to memory of 4720	1620	eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1.exe	85
PID 4720 wrote to memory of 4112	4720	zinG4381.exe	86
PID 4720 wrote to memory of 4112	4720	zinG4381.exe	86
PID 4720 wrote to memory of 4112	4720	zinG4381.exe	86
PID 4112 wrote to memory of 1180	4112	zicJ6607.exe	87
PID 4112 wrote to memory of 1180	4112	zicJ6607.exe	87
PID 4112 wrote to memory of 4828	4112	zicJ6607.exe	91
PID 4112 wrote to memory of 4828	4112	zicJ6607.exe	91
PID 4112 wrote to memory of 4828	4112	zicJ6607.exe	91
PID 4828 wrote to memory of 1476	4828	jr588635.exe	92
PID 4828 wrote to memory of 1476	4828	jr588635.exe	92
PID 4828 wrote to memory of 1476	4828	jr588635.exe	92
PID 4720 wrote to memory of 3040	4720	zinG4381.exe	95
PID 4720 wrote to memory of 3040	4720	zinG4381.exe	95
PID 4720 wrote to memory of 3040	4720	zinG4381.exe	95
PID 1620 wrote to memory of 3360	1620	eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1.exe	97
PID 1620 wrote to memory of 3360	1620	eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1.exe	97
PID 1620 wrote to memory of 3360	1620	eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1.exe	97
PID 3360 wrote to memory of 2800	3360	lr954655.exe	119
PID 3360 wrote to memory of 2800	3360	lr954655.exe	119
PID 3360 wrote to memory of 2800	3360	lr954655.exe	119
PID 2800 wrote to memory of 4924	2800	oneetx.exe	137
PID 2800 wrote to memory of 4924	2800	oneetx.exe	137
PID 2800 wrote to memory of 4924	2800	oneetx.exe	137
PID 2800 wrote to memory of 4740	2800	oneetx.exe	152
PID 2800 wrote to memory of 4740	2800	oneetx.exe	152
PID 2800 wrote to memory of 4740	2800	oneetx.exe	152

C:\Users\Admin\AppData\Local\Temp\eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1.exe
"C:\Users\Admin\AppData\Local\Temp\eeaff9fc04d475338f174f40b75275984614bc88ae48a0150eec264d657534f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinG4381.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinG4381.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicJ6607.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicJ6607.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it475004.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it475004.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr588635.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr588635.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1388
        5⤵
        Program crash
        
        PID:836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp006003.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp006003.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr954655.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr954655.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 700
    3⤵
    - Program crash
    PID:936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 796
    3⤵
    - Program crash
    PID:1324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 860
    3⤵
    - Program crash
    PID:224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 956
    3⤵
    - Program crash
    PID:4260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 964
    3⤵
    - Program crash
    PID:1996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 984
    3⤵
    - Program crash
    PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1216
    3⤵
    - Program crash
    PID:968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1248
    3⤵
    - Program crash
    PID:4432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1316
    3⤵
    - Program crash
    PID:720
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 696
      4⤵
      Program crash
      PID:3756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 840
      4⤵
      Program crash
      PID:1416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 900
      4⤵
      Program crash
      PID:404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1056
      4⤵
      Program crash
      PID:2144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1056
      4⤵
      Program crash
      PID:4512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1088
      4⤵
      Program crash
      PID:4900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1096
      4⤵
      Program crash
      PID:3372
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1008
      4⤵
      Program crash
      PID:1628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 688
      4⤵
      Program crash
      PID:4936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1292
      4⤵
      Program crash
      PID:4824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 760
      4⤵
      Program crash
      PID:2580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1116
      4⤵
      Program crash
      PID:1540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1368
      4⤵
      Program crash
      PID:1176
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1104
      4⤵
      Program crash
      PID:1008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1632
      4⤵
      Program crash
      PID:4044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1360
    3⤵
    - Program crash
    PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4828 -ip 4828
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3360 -ip 3360
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3360 -ip 3360
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3360 -ip 3360
1⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3360 -ip 3360
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3360 -ip 3360
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3360 -ip 3360
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3360 -ip 3360
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3360 -ip 3360
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3360 -ip 3360
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3360 -ip 3360
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2800 -ip 2800
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2800 -ip 2800
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2800 -ip 2800
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2800 -ip 2800
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2800 -ip 2800
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2800 -ip 2800
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2800 -ip 2800
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2800 -ip 2800
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2800 -ip 2800
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2800 -ip 2800
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2800 -ip 2800
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2800 -ip 2800
1⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 396
  2⤵
  - Program crash
  PID:4692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 440
  2⤵
  - Program crash
  PID:3972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 440
  2⤵
  - Program crash
  PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2800 -ip 2800
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2800 -ip 2800
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1240 -ip 1240
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1240 -ip 1240
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1240 -ip 1240
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2800 -ip 2800
1⤵
PID:4432

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr954655.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr954655.exe

Filesize
396KB

MD5
3b4f2a4d8dca852944a267ed2830e399

SHA1
fdb24f66cd6baf27e5f2631fd981afd71732a352

SHA256
ff3e602e3250c9fcbdb5c32d714676400356f27edf28b27315cf8f240f366f6e

SHA512
81fbda54e0d5e96ab119714d2aebd3089a6953c7e9f05dfe55191517ecbadc9c4e36c93b19ba73bbb7019a8408a879c01f78e97cea45ce5fee1780fc39626fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinG4381.exe

Filesize
723KB

MD5
47772b27fa669bd9b67573b778bc0e20

SHA1
28b569148d2f5c221c94a67ed1831c9563898c19

SHA256
2177ad6d26d58dcb2cc652304fccc6087e83e7ee66091f3e9737ed82b38527af

SHA512
12dab6218ac07beea8fd8075d79b9f034f0412191db03dec569e291c5d82a9aa4a4fb2d5ac739c90dec4a424a48fca506bf4323fecc6c4988732ef75c9a7a82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinG4381.exe

Filesize
723KB

MD5
47772b27fa669bd9b67573b778bc0e20

SHA1
28b569148d2f5c221c94a67ed1831c9563898c19

SHA256
2177ad6d26d58dcb2cc652304fccc6087e83e7ee66091f3e9737ed82b38527af

SHA512
12dab6218ac07beea8fd8075d79b9f034f0412191db03dec569e291c5d82a9aa4a4fb2d5ac739c90dec4a424a48fca506bf4323fecc6c4988732ef75c9a7a82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp006003.exe

Filesize
169KB

MD5
296677e657cb81631852c107f82ef1f7

SHA1
60e4122a0bf17ffd2309e857bfb2fb8fd246374d

SHA256
26199b6630446b9ca62a31c0e0d921c4d3fea908aeccb0b33bf5892b6de69e34

SHA512
2c310add53495af6c9286e476ce2f7715548bf35a1236f9e20ef4142e724006f389d722947563fd9452c76f4903bde6e09b94819a56a9aa8d3f0fa5b3a21011d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp006003.exe

Filesize
169KB

MD5
296677e657cb81631852c107f82ef1f7

SHA1
60e4122a0bf17ffd2309e857bfb2fb8fd246374d

SHA256
26199b6630446b9ca62a31c0e0d921c4d3fea908aeccb0b33bf5892b6de69e34

SHA512
2c310add53495af6c9286e476ce2f7715548bf35a1236f9e20ef4142e724006f389d722947563fd9452c76f4903bde6e09b94819a56a9aa8d3f0fa5b3a21011d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicJ6607.exe

Filesize
569KB

MD5
61ad689b47d7da346729d50c163f85cf

SHA1
f69530abafb630e716b2e17ca25fe111b12d378d

SHA256
df080213622143eb68e091e5d7c677f1259c41b96a793866a3fd3832761bb3a1

SHA512
cc9f741d087c96f5d56c09bace7369a3c8376bbaa6d8f11139de5ecab7769204a54eebc3b3bb404b2b29f17a125880fbe9bccbc0b6358d8e2653008885b8b84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicJ6607.exe

Filesize
569KB

MD5
61ad689b47d7da346729d50c163f85cf

SHA1
f69530abafb630e716b2e17ca25fe111b12d378d

SHA256
df080213622143eb68e091e5d7c677f1259c41b96a793866a3fd3832761bb3a1

SHA512
cc9f741d087c96f5d56c09bace7369a3c8376bbaa6d8f11139de5ecab7769204a54eebc3b3bb404b2b29f17a125880fbe9bccbc0b6358d8e2653008885b8b84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it475004.exe

Filesize
11KB

MD5
ffa806fcde598c40288f7dedcf1f3687

SHA1
205b34112f10fb73813018f5e44c744386e1a96b

SHA256
83ee008e83c0ab56a531c5ff7c7aefb9dee303aa02e7e81c8cf407d4dee617a0

SHA512
6dbaaf246c6ea4246b5ca168e5effaa6fc9663668888250d232754ea48c14f6ba95c43e8b49480f46ba0d614b13a971a308b6a109b684c02b6d529af66769c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it475004.exe

Filesize
11KB

MD5
ffa806fcde598c40288f7dedcf1f3687

SHA1
205b34112f10fb73813018f5e44c744386e1a96b

SHA256
83ee008e83c0ab56a531c5ff7c7aefb9dee303aa02e7e81c8cf407d4dee617a0

SHA512
6dbaaf246c6ea4246b5ca168e5effaa6fc9663668888250d232754ea48c14f6ba95c43e8b49480f46ba0d614b13a971a308b6a109b684c02b6d529af66769c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr588635.exe

Filesize
588KB

MD5
8f11144458377f51847f5527771ead58

SHA1
245cc215fac9b29e6676f8cbb0d1d0f39c57c12d

SHA256
eeace4cf6138151a35b14796eccb02626d18cf0bc544906f86f2051aa6fbbaef

SHA512
6c7caf83e1769d99ddbbe1b77ba85623d788a62cad166776e427e3b48c86d7429e253ca70f99d23d577c770cc3b45ca401dff5373ca28b03f3195b981a498209

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr588635.exe

Filesize
588KB

MD5
8f11144458377f51847f5527771ead58

SHA1
245cc215fac9b29e6676f8cbb0d1d0f39c57c12d

SHA256
eeace4cf6138151a35b14796eccb02626d18cf0bc544906f86f2051aa6fbbaef

SHA512
6c7caf83e1769d99ddbbe1b77ba85623d788a62cad166776e427e3b48c86d7429e253ca70f99d23d577c770cc3b45ca401dff5373ca28b03f3195b981a498209

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/1180-154-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1476-2324-0x00000000054B0000-0x00000000054EC000-memory.dmp

Filesize
240KB

Download
memory/1476-2321-0x0000000005C20000-0x0000000006238000-memory.dmp

Filesize
6.1MB

Download
memory/1476-2334-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/1476-2333-0x0000000005AF0000-0x0000000005B82000-memory.dmp

Filesize
584KB

Download
memory/1476-2332-0x00000000059D0000-0x0000000005A46000-memory.dmp

Filesize
472KB

Download
memory/1476-2338-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/1476-2320-0x0000000000C10000-0x0000000000C3E000-memory.dmp

Filesize
184KB

Download
memory/1476-2336-0x0000000008EB0000-0x00000000093DC000-memory.dmp

Filesize
5.2MB

Download
memory/1476-2337-0x0000000006890000-0x00000000068E0000-memory.dmp

Filesize
320KB

Download
memory/1476-2325-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/1476-2335-0x0000000006900000-0x0000000006AC2000-memory.dmp

Filesize
1.8MB

Download
memory/1476-2323-0x0000000005450000-0x0000000005462000-memory.dmp

Filesize
72KB

Download
memory/1476-2322-0x0000000005710000-0x000000000581A000-memory.dmp

Filesize
1.0MB

Download
memory/3040-2330-0x00000000008A0000-0x00000000008D0000-memory.dmp

Filesize
192KB

Download
memory/3040-2331-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/3040-2339-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/3360-2346-0x0000000000A90000-0x0000000000ACB000-memory.dmp

Filesize
236KB

Download
memory/4828-176-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-220-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-222-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-226-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-224-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-228-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-2307-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4828-218-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-216-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-214-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-212-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-210-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-208-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-206-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-204-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-202-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-200-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-198-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-196-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-194-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-192-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-190-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-188-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-186-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-184-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-182-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-180-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-178-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-174-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-172-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-170-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-168-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-166-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-165-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/4828-164-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4828-163-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4828-162-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4828-161-0x00000000009A0000-0x00000000009FB000-memory.dmp

Filesize
364KB

Download
memory/4828-160-0x0000000004F90000-0x0000000005534000-memory.dmp

Filesize
5.6MB

Download