amadey | 91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11

Analysis

max time kernel
142s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2023, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11.exe
Size

1.2MB
MD5

05585570f3bef87f9932bdc0b6e628b0
SHA1

b36e1029d879096bb59ec95549085213ebc9adc5
SHA256

91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11
SHA512

c656808d5e3b782f2076b22d07ac4890e85a1ae1f67df6de1495b4b3e66e7f9726aeca06817a024ea15518024afb9ad0c64cace418c995dea2b64424002cedac
SSDEEP

24576:iytcUrmDtmPVg79zoP3fN+oq1cSxk1ydJyDIX0XPt+S3LSu:JtcUrPVg7hoffNG1e1ydg8X0YSb

Score

10^/10

amadey redline diza losk discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

losk

185.161.248.150:4128

Attributes

auth_value
c0a6c391e53d2d9cd27bb17d1d38ada3

Extracted

Family

redline

Botnet

diza

185.161.248.150:4128

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr511369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr511369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr511369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr511369.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr511369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr511369.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	qu415032.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	si064492.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
5072	un403553.exe
1800	un599084.exe
708	pr511369.exe
3560	qu415032.exe
3324	1.exe
2532	rk837085.exe
232	si064492.exe
2772	oneetx.exe
3728	oneetx.exe
4404	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
624	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr511369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr511369.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un403553.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un599084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un599084.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un403553.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
1396	708	WerFault.exe	85
3744	3560	WerFault.exe	92
4068	232	WerFault.exe	100
932	232	WerFault.exe	100
1632	232	WerFault.exe	100
1496	232	WerFault.exe	100
2224	232	WerFault.exe	100
1964	232	WerFault.exe	100
4944	232	WerFault.exe	100
3768	232	WerFault.exe	100
2348	232	WerFault.exe	100
4084	232	WerFault.exe	100
2184	2772	WerFault.exe	121
952	2772	WerFault.exe	121
3732	2772	WerFault.exe	121
3432	2772	WerFault.exe	121
460	2772	WerFault.exe	121
4604	2772	WerFault.exe	121
828	2772	WerFault.exe	121
652	2772	WerFault.exe	121
3240	2772	WerFault.exe	121
1908	2772	WerFault.exe	121
5044	2772	WerFault.exe	121
1160	2772	WerFault.exe	121
1344	3728	WerFault.exe	151
3352	2772	WerFault.exe	121
3600	2772	WerFault.exe	121
3012	2772	WerFault.exe	121
3768	4404	WerFault.exe	161

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
708	pr511369.exe
708	pr511369.exe
3324	1.exe
3324	1.exe
2532	rk837085.exe
2532	rk837085.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	708	pr511369.exe
Token: SeDebugPrivilege	3560	qu415032.exe
Token: SeDebugPrivilege	3324	1.exe
Token: SeDebugPrivilege	2532	rk837085.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
232	si064492.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 5072	2364	91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11.exe	83
PID 2364 wrote to memory of 5072	2364	91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11.exe	83
PID 2364 wrote to memory of 5072	2364	91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11.exe	83
PID 5072 wrote to memory of 1800	5072	un403553.exe	84
PID 5072 wrote to memory of 1800	5072	un403553.exe	84
PID 5072 wrote to memory of 1800	5072	un403553.exe	84
PID 1800 wrote to memory of 708	1800	un599084.exe	85
PID 1800 wrote to memory of 708	1800	un599084.exe	85
PID 1800 wrote to memory of 708	1800	un599084.exe	85
PID 1800 wrote to memory of 3560	1800	un599084.exe	92
PID 1800 wrote to memory of 3560	1800	un599084.exe	92
PID 1800 wrote to memory of 3560	1800	un599084.exe	92
PID 3560 wrote to memory of 3324	3560	qu415032.exe	93
PID 3560 wrote to memory of 3324	3560	qu415032.exe	93
PID 3560 wrote to memory of 3324	3560	qu415032.exe	93
PID 5072 wrote to memory of 2532	5072	un403553.exe	96
PID 5072 wrote to memory of 2532	5072	un403553.exe	96
PID 5072 wrote to memory of 2532	5072	un403553.exe	96
PID 2364 wrote to memory of 232	2364	91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11.exe	100
PID 2364 wrote to memory of 232	2364	91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11.exe	100
PID 2364 wrote to memory of 232	2364	91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11.exe	100
PID 232 wrote to memory of 2772	232	si064492.exe	121
PID 232 wrote to memory of 2772	232	si064492.exe	121
PID 232 wrote to memory of 2772	232	si064492.exe	121
PID 2772 wrote to memory of 3896	2772	oneetx.exe	139
PID 2772 wrote to memory of 3896	2772	oneetx.exe	139
PID 2772 wrote to memory of 3896	2772	oneetx.exe	139
PID 2772 wrote to memory of 624	2772	oneetx.exe	156
PID 2772 wrote to memory of 624	2772	oneetx.exe	156
PID 2772 wrote to memory of 624	2772	oneetx.exe	156

C:\Users\Admin\AppData\Local\Temp\91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11.exe
"C:\Users\Admin\AppData\Local\Temp\91bfb3e8495b89be16f831e1dba0d1d1374566b949c7917c44926c209a36ff11.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un403553.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un403553.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un599084.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un599084.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr511369.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr511369.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 1080
        5⤵
        Program crash
        
        PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu415032.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu415032.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1372
        5⤵
        Program crash
        
        PID:3744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk837085.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk837085.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si064492.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si064492.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 696
    3⤵
    - Program crash
    PID:4068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 780
    3⤵
    - Program crash
    PID:932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 856
    3⤵
    - Program crash
    PID:1632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 864
    3⤵
    - Program crash
    PID:1496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 860
    3⤵
    - Program crash
    PID:2224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 860
    3⤵
    - Program crash
    PID:1964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1204
    3⤵
    - Program crash
    PID:4944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1260
    3⤵
    - Program crash
    PID:3768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1312
    3⤵
    - Program crash
    PID:2348
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 692
      4⤵
      Program crash
      PID:2184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 840
      4⤵
      Program crash
      PID:952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 912
      4⤵
      Program crash
      PID:3732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1052
      4⤵
      Program crash
      PID:3432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1088
      4⤵
      Program crash
      PID:460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1088
      4⤵
      Program crash
      PID:4604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1100
      4⤵
      Program crash
      PID:828
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1000
      4⤵
      Program crash
      PID:652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 908
      4⤵
      Program crash
      PID:3240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1224
      4⤵
      Program crash
      PID:1908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 908
      4⤵
      Program crash
      PID:5044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1108
      4⤵
      Program crash
      PID:1160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1612
      4⤵
      Program crash
      PID:3352
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1556
      4⤵
      Program crash
      PID:3600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1628
      4⤵
      Program crash
      PID:3012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1356
    3⤵
    - Program crash
    PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 708 -ip 708
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3560 -ip 3560
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 232 -ip 232
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 232 -ip 232
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 232 -ip 232
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 232 -ip 232
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 232 -ip 232
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 232 -ip 232
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 232 -ip 232
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 232 -ip 232
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 232 -ip 232
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 232 -ip 232
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2772 -ip 2772
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2772 -ip 2772
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2772 -ip 2772
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2772 -ip 2772
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2772 -ip 2772
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2772 -ip 2772
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2772 -ip 2772
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2772 -ip 2772
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2772 -ip 2772
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2772 -ip 2772
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2772 -ip 2772
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2772 -ip 2772
1⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:3728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 320
  2⤵
  - Program crash
  PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3728 -ip 3728
1⤵
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2772 -ip 2772
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2772 -ip 2772
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2772 -ip 2772
1⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 312
  2⤵
  - Program crash
  PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4404 -ip 4404
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
2b80c6016bce89cf27d56f1a3dfdd172

SHA1
d67f7d7dabcf137766f489b5948df2a55d00b44e

SHA256
8b9b5bd9b87fe71014f75e0d14a35a92b1b1489daaa10dfa737a5dd8b33c67cb

SHA512
e72718d944ce42ff766bbc7f8aa21d140ec1013f49712ef31a4ba998226fd185eb8d29c8118f52f377bf318d7fa665630c3a8de1dd8d77ebefa22455f2344eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
2b80c6016bce89cf27d56f1a3dfdd172

SHA1
d67f7d7dabcf137766f489b5948df2a55d00b44e

SHA256
8b9b5bd9b87fe71014f75e0d14a35a92b1b1489daaa10dfa737a5dd8b33c67cb

SHA512
e72718d944ce42ff766bbc7f8aa21d140ec1013f49712ef31a4ba998226fd185eb8d29c8118f52f377bf318d7fa665630c3a8de1dd8d77ebefa22455f2344eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
2b80c6016bce89cf27d56f1a3dfdd172

SHA1
d67f7d7dabcf137766f489b5948df2a55d00b44e

SHA256
8b9b5bd9b87fe71014f75e0d14a35a92b1b1489daaa10dfa737a5dd8b33c67cb

SHA512
e72718d944ce42ff766bbc7f8aa21d140ec1013f49712ef31a4ba998226fd185eb8d29c8118f52f377bf318d7fa665630c3a8de1dd8d77ebefa22455f2344eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
2b80c6016bce89cf27d56f1a3dfdd172

SHA1
d67f7d7dabcf137766f489b5948df2a55d00b44e

SHA256
8b9b5bd9b87fe71014f75e0d14a35a92b1b1489daaa10dfa737a5dd8b33c67cb

SHA512
e72718d944ce42ff766bbc7f8aa21d140ec1013f49712ef31a4ba998226fd185eb8d29c8118f52f377bf318d7fa665630c3a8de1dd8d77ebefa22455f2344eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
2b80c6016bce89cf27d56f1a3dfdd172

SHA1
d67f7d7dabcf137766f489b5948df2a55d00b44e

SHA256
8b9b5bd9b87fe71014f75e0d14a35a92b1b1489daaa10dfa737a5dd8b33c67cb

SHA512
e72718d944ce42ff766bbc7f8aa21d140ec1013f49712ef31a4ba998226fd185eb8d29c8118f52f377bf318d7fa665630c3a8de1dd8d77ebefa22455f2344eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si064492.exe

Filesize
395KB

MD5
2b80c6016bce89cf27d56f1a3dfdd172

SHA1
d67f7d7dabcf137766f489b5948df2a55d00b44e

SHA256
8b9b5bd9b87fe71014f75e0d14a35a92b1b1489daaa10dfa737a5dd8b33c67cb

SHA512
e72718d944ce42ff766bbc7f8aa21d140ec1013f49712ef31a4ba998226fd185eb8d29c8118f52f377bf318d7fa665630c3a8de1dd8d77ebefa22455f2344eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si064492.exe

Filesize
395KB

MD5
2b80c6016bce89cf27d56f1a3dfdd172

SHA1
d67f7d7dabcf137766f489b5948df2a55d00b44e

SHA256
8b9b5bd9b87fe71014f75e0d14a35a92b1b1489daaa10dfa737a5dd8b33c67cb

SHA512
e72718d944ce42ff766bbc7f8aa21d140ec1013f49712ef31a4ba998226fd185eb8d29c8118f52f377bf318d7fa665630c3a8de1dd8d77ebefa22455f2344eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un403553.exe

Filesize
861KB

MD5
bae40ddb5eb31c933f9902ce1569bdb4

SHA1
69a98c9322b6da42a269be60f8ca466f9739408b

SHA256
08f07fca5ed1f415f4623fe53482b3b63c5e53a1fc31aac30f25b2808cbd5222

SHA512
8a96b759bff19c697c04ae757b08693a89745efb8f3cac90840650eb22f89419e84850317030874154d26ee1955fd53a0041e55651dc9248731a4a7163441cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un403553.exe

Filesize
861KB

MD5
bae40ddb5eb31c933f9902ce1569bdb4

SHA1
69a98c9322b6da42a269be60f8ca466f9739408b

SHA256
08f07fca5ed1f415f4623fe53482b3b63c5e53a1fc31aac30f25b2808cbd5222

SHA512
8a96b759bff19c697c04ae757b08693a89745efb8f3cac90840650eb22f89419e84850317030874154d26ee1955fd53a0041e55651dc9248731a4a7163441cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk837085.exe

Filesize
168KB

MD5
bae14e2f3918026b65193aa528f6a3a8

SHA1
38e54e7696db2cdc980b3672a690d8628774765f

SHA256
2ceed6f2454a6d057958f939bea5632e8f4e7c8ae326e5ef0cf11086537a61d9

SHA512
f300cf70aa43991a8829221e5b5509a96e5c24109788934ead93c00cf94e568e6efd74b31b0d44747198f9813dd0cf5379390f1a51118f0a261f1e8965e88d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk837085.exe

Filesize
168KB

MD5
bae14e2f3918026b65193aa528f6a3a8

SHA1
38e54e7696db2cdc980b3672a690d8628774765f

SHA256
2ceed6f2454a6d057958f939bea5632e8f4e7c8ae326e5ef0cf11086537a61d9

SHA512
f300cf70aa43991a8829221e5b5509a96e5c24109788934ead93c00cf94e568e6efd74b31b0d44747198f9813dd0cf5379390f1a51118f0a261f1e8965e88d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un599084.exe

Filesize
707KB

MD5
4ab293fd1220da27c094cf8c3066a13a

SHA1
1a8f0babc11f06a671de17764621278c72e8ecd1

SHA256
2cb0260e72c4484cd81aee69f29140c9a3b5c4d396a7b73be165ae6aa2ad1709

SHA512
2308b72da11bf43bec0a1b0d7ed8e83861a77ebb2089f47984e5d66d984b4b1be67b69f4259e06f3dec406a47f091894ad2ebc3a7b2d49533f0c3e45bc833aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un599084.exe

Filesize
707KB

MD5
4ab293fd1220da27c094cf8c3066a13a

SHA1
1a8f0babc11f06a671de17764621278c72e8ecd1

SHA256
2cb0260e72c4484cd81aee69f29140c9a3b5c4d396a7b73be165ae6aa2ad1709

SHA512
2308b72da11bf43bec0a1b0d7ed8e83861a77ebb2089f47984e5d66d984b4b1be67b69f4259e06f3dec406a47f091894ad2ebc3a7b2d49533f0c3e45bc833aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr511369.exe

Filesize
404KB

MD5
1171ba516674dab08d5b4006e172c1f7

SHA1
008dc3102287e4ce720aa9f78e69c0eacc25a9e0

SHA256
d87098fc84c3c490590e4a8858d9a1b9aae2401052f843fbad46e54104c5dbb8

SHA512
d7f8e2b37926e8169c752592772b8755e1f9713f8522a16441510940c49bb8844f174b33dafad8689c8a0810b640353335417ded750447531eb39a19fb96f212

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr511369.exe

Filesize
404KB

MD5
1171ba516674dab08d5b4006e172c1f7

SHA1
008dc3102287e4ce720aa9f78e69c0eacc25a9e0

SHA256
d87098fc84c3c490590e4a8858d9a1b9aae2401052f843fbad46e54104c5dbb8

SHA512
d7f8e2b37926e8169c752592772b8755e1f9713f8522a16441510940c49bb8844f174b33dafad8689c8a0810b640353335417ded750447531eb39a19fb96f212

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu415032.exe

Filesize
588KB

MD5
06f4c04ae989f8d41d7dd32df861aedd

SHA1
8934bc6f0b3d6044a14a9a210c3c4cb925f99bb1

SHA256
74bba20aa133234eb3ac3b52c77cd8628df682761f01a4172be82315f5dd179c

SHA512
9f151ba42b10f0bc72d7286d569e11907acae3937c2104c3e9db00891a9154c39586e60b9378edd2b85683be78bee2b0e97354fc9cae343b38472bbe173b93b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu415032.exe

Filesize
588KB

MD5
06f4c04ae989f8d41d7dd32df861aedd

SHA1
8934bc6f0b3d6044a14a9a210c3c4cb925f99bb1

SHA256
74bba20aa133234eb3ac3b52c77cd8628df682761f01a4172be82315f5dd179c

SHA512
9f151ba42b10f0bc72d7286d569e11907acae3937c2104c3e9db00891a9154c39586e60b9378edd2b85683be78bee2b0e97354fc9cae343b38472bbe173b93b2

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
9769c25c4a15b0c8af084316d51ab586

SHA1
d9df15e4232d136ece8bc89354036adfdc3ec069

SHA256
06b517e81040b5c3fc27adb0c5cfbc05b6082a88d3e6087bb2f3f8e941e22913

SHA512
cffddfb5283ccae2615dd131eee23a137d9a79270295caa865d6f1cf8fa6650ed74106d41566b2d29f7dad39450e3a1feb46b9c568c4a71ba3329606fdea65a8

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
9769c25c4a15b0c8af084316d51ab586

SHA1
d9df15e4232d136ece8bc89354036adfdc3ec069

SHA256
06b517e81040b5c3fc27adb0c5cfbc05b6082a88d3e6087bb2f3f8e941e22913

SHA512
cffddfb5283ccae2615dd131eee23a137d9a79270295caa865d6f1cf8fa6650ed74106d41566b2d29f7dad39450e3a1feb46b9c568c4a71ba3329606fdea65a8

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
9769c25c4a15b0c8af084316d51ab586

SHA1
d9df15e4232d136ece8bc89354036adfdc3ec069

SHA256
06b517e81040b5c3fc27adb0c5cfbc05b6082a88d3e6087bb2f3f8e941e22913

SHA512
cffddfb5283ccae2615dd131eee23a137d9a79270295caa865d6f1cf8fa6650ed74106d41566b2d29f7dad39450e3a1feb46b9c568c4a71ba3329606fdea65a8

Download Submit
memory/232-2387-0x0000000002390000-0x00000000023CB000-memory.dmp

Filesize
236KB

Download
memory/708-163-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-169-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-189-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/708-190-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/708-191-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/708-193-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/708-187-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-185-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-183-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-181-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-179-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-177-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-175-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-173-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-171-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-188-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/708-167-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-165-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-161-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-160-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/708-155-0x0000000004E30000-0x00000000053D4000-memory.dmp

Filesize
5.6MB

Download
memory/708-156-0x0000000000970000-0x000000000099D000-memory.dmp

Filesize
180KB

Download
memory/708-157-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/708-158-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/708-159-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2532-2372-0x0000000000530000-0x000000000055E000-memory.dmp

Filesize
184KB

Download
memory/2532-2374-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2532-2378-0x0000000006230000-0x00000000063F2000-memory.dmp

Filesize
1.8MB

Download
memory/2532-2379-0x00000000087D0000-0x0000000008CFC000-memory.dmp

Filesize
5.2MB

Download
memory/3324-2371-0x00000000057B0000-0x00000000057EC000-memory.dmp

Filesize
240KB

Download
memory/3324-2373-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/3324-2381-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/3324-2380-0x0000000006A80000-0x0000000006AD0000-memory.dmp

Filesize
320KB

Download
memory/3324-2362-0x0000000000E00000-0x0000000000E30000-memory.dmp

Filesize
192KB

Download
memory/3324-2377-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/3324-2364-0x0000000005E20000-0x0000000006438000-memory.dmp

Filesize
6.1MB

Download
memory/3324-2366-0x0000000005910000-0x0000000005A1A000-memory.dmp

Filesize
1.0MB

Download
memory/3324-2367-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/3324-2376-0x0000000005CE0000-0x0000000005D72000-memory.dmp

Filesize
584KB

Download
memory/3324-2375-0x0000000005BC0000-0x0000000005C36000-memory.dmp

Filesize
472KB

Download
memory/3560-229-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-215-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-225-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-221-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-227-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-235-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-2363-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/3560-217-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-219-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-231-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-233-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-223-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-213-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-207-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-211-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-210-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/3560-208-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/3560-205-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/3560-204-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-203-0x0000000000990000-0x00000000009EB000-memory.dmp

Filesize
364KB

Download
memory/3560-201-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-198-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/3560-199-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download