amadey | 991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2023, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec.exe
Size

1.1MB
MD5

5d5764494307cc2bbb776e8bc6489e4d
SHA1

7b85359d7b50fa368545fa36be867c3ef1603d5b
SHA256

991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec
SHA512

223692db9f042e988d609ff83f424decc8d0d2c5e5d0f29dd8a632a87447142f5e9efd19d297098105cdcd87b27327629fe10a7f0c8fa399b8290cb9a322e24b
SSDEEP

24576:XySVGybswMyDaKg0zaWRB4cxONCPphrMOGmPmkWcqv30Y:iSVLIwMPoDPlmCP3MOGm4v30

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr287976.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr287976.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr287976.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr287976.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr287976.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr287976.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	si280222.exe

Executes dropped EXE 9 IoCs

pid	Process
1772	un050623.exe
2304	un611963.exe
4504	pr287976.exe
988	qu885613.exe
2724	rk439675.exe
1696	si280222.exe
4900	oneetx.exe
1136	oneetx.exe
4036	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4400	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr287976.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr287976.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un050623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un050623.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un611963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un611963.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
4116	4504	WerFault.exe	84
2220	988	WerFault.exe	90
3932	1696	WerFault.exe	94
4908	1696	WerFault.exe	94
4612	1696	WerFault.exe	94
4068	1696	WerFault.exe	94
2652	1696	WerFault.exe	94
2996	1696	WerFault.exe	94
4572	1696	WerFault.exe	94
4548	1696	WerFault.exe	94
4012	1696	WerFault.exe	94
3312	1696	WerFault.exe	94
3784	4900	WerFault.exe	114
5012	4900	WerFault.exe	114
620	4900	WerFault.exe	114
4992	4900	WerFault.exe	114
4668	4900	WerFault.exe	114
3432	4900	WerFault.exe	114
4916	4900	WerFault.exe	114
2956	4900	WerFault.exe	114
2744	4900	WerFault.exe	114
952	4900	WerFault.exe	114
2184	4900	WerFault.exe	114
3400	4900	WerFault.exe	114
4176	4900	WerFault.exe	114
4764	1136	WerFault.exe	149
1364	4900	WerFault.exe	114
4744	4900	WerFault.exe	114
4192	4900	WerFault.exe	114
692	4036	WerFault.exe	159

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4504	pr287976.exe
4504	pr287976.exe
988	qu885613.exe
988	qu885613.exe
2724	rk439675.exe
2724	rk439675.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	pr287976.exe
Token: SeDebugPrivilege	988	qu885613.exe
Token: SeDebugPrivilege	2724	rk439675.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1696	si280222.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 1772	1028	991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec.exe	82
PID 1028 wrote to memory of 1772	1028	991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec.exe	82
PID 1028 wrote to memory of 1772	1028	991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec.exe	82
PID 1772 wrote to memory of 2304	1772	un050623.exe	83
PID 1772 wrote to memory of 2304	1772	un050623.exe	83
PID 1772 wrote to memory of 2304	1772	un050623.exe	83
PID 2304 wrote to memory of 4504	2304	un611963.exe	84
PID 2304 wrote to memory of 4504	2304	un611963.exe	84
PID 2304 wrote to memory of 4504	2304	un611963.exe	84
PID 2304 wrote to memory of 988	2304	un611963.exe	90
PID 2304 wrote to memory of 988	2304	un611963.exe	90
PID 2304 wrote to memory of 988	2304	un611963.exe	90
PID 1772 wrote to memory of 2724	1772	un050623.exe	93
PID 1772 wrote to memory of 2724	1772	un050623.exe	93
PID 1772 wrote to memory of 2724	1772	un050623.exe	93
PID 1028 wrote to memory of 1696	1028	991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec.exe	94
PID 1028 wrote to memory of 1696	1028	991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec.exe	94
PID 1028 wrote to memory of 1696	1028	991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec.exe	94
PID 1696 wrote to memory of 4900	1696	si280222.exe	114
PID 1696 wrote to memory of 4900	1696	si280222.exe	114
PID 1696 wrote to memory of 4900	1696	si280222.exe	114
PID 4900 wrote to memory of 1108	4900	oneetx.exe	133
PID 4900 wrote to memory of 1108	4900	oneetx.exe	133
PID 4900 wrote to memory of 1108	4900	oneetx.exe	133
PID 4900 wrote to memory of 4400	4900	oneetx.exe	154
PID 4900 wrote to memory of 4400	4900	oneetx.exe	154
PID 4900 wrote to memory of 4400	4900	oneetx.exe	154

C:\Users\Admin\AppData\Local\Temp\991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec.exe
"C:\Users\Admin\AppData\Local\Temp\991341f629a35c24545c5531015c33a5453ceb69524fa4db731d9cb9bc5874ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un050623.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un050623.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un611963.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un611963.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr287976.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr287976.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4504
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1080
        5⤵
        Program crash
        
        PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu885613.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu885613.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1724
        5⤵
        Program crash
        
        PID:2220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk439675.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk439675.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si280222.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si280222.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 696
    3⤵
    - Program crash
    PID:3932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 748
    3⤵
    - Program crash
    PID:4908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 856
    3⤵
    - Program crash
    PID:4612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 952
    3⤵
    - Program crash
    PID:4068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 956
    3⤵
    - Program crash
    PID:2652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 980
    3⤵
    - Program crash
    PID:2996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1168
    3⤵
    - Program crash
    PID:4572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1236
    3⤵
    - Program crash
    PID:4548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1320
    3⤵
    - Program crash
    PID:4012
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 692
      4⤵
      Program crash
      PID:3784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 884
      4⤵
      Program crash
      PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 940
      4⤵
      Program crash
      PID:620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1052
      4⤵
      Program crash
      PID:4992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1072
      4⤵
      Program crash
      PID:4668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1072
      4⤵
      Program crash
      PID:3432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1136
      4⤵
      Program crash
      PID:4916
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 992
      4⤵
      Program crash
      PID:2956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 684
      4⤵
      Program crash
      PID:2744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1296
      4⤵
      Program crash
      PID:952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 752
      4⤵
      Program crash
      PID:2184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1436
      4⤵
      Program crash
      PID:3400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1088
      4⤵
      Program crash
      PID:4176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1644
      4⤵
      Program crash
      PID:1364
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1440
      4⤵
      Program crash
      PID:4744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1640
      4⤵
      Program crash
      PID:4192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1544
    3⤵
    - Program crash
    PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4504 -ip 4504
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 988 -ip 988
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1696 -ip 1696
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1696 -ip 1696
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1696 -ip 1696
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1696 -ip 1696
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1696 -ip 1696
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1696 -ip 1696
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1696 -ip 1696
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1696 -ip 1696
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1696 -ip 1696
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1696 -ip 1696
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4900 -ip 4900
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4900 -ip 4900
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4900 -ip 4900
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4900 -ip 4900
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4900 -ip 4900
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4900 -ip 4900
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4900 -ip 4900
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4900 -ip 4900
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4900 -ip 4900
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4900 -ip 4900
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4900 -ip 4900
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4900 -ip 4900
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4900 -ip 4900
1⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 316
  2⤵
  - Program crash
  PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1136 -ip 1136
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4900 -ip 4900
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4900 -ip 4900
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4900 -ip 4900
1⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 312
  2⤵
  - Program crash
  PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4036 -ip 4036
1⤵
PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
390KB

MD5
65607330953575adbdc695c97a2ad43a

SHA1
8d91528bf5e1a2e489caf46449ed890456f2bfc7

SHA256
d47e1a80623c3c06e6e253242033087617c3d572a6d8578f759a1758def88353

SHA512
b5e59c143a7c0d56a58aafce683870e9f0cfa247a6be6fb640afe69950ec073b772170cf0c3b66334f051b8bdcfd5683f08f34710ca5ec8b2be43095706f47b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
390KB

MD5
65607330953575adbdc695c97a2ad43a

SHA1
8d91528bf5e1a2e489caf46449ed890456f2bfc7

SHA256
d47e1a80623c3c06e6e253242033087617c3d572a6d8578f759a1758def88353

SHA512
b5e59c143a7c0d56a58aafce683870e9f0cfa247a6be6fb640afe69950ec073b772170cf0c3b66334f051b8bdcfd5683f08f34710ca5ec8b2be43095706f47b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
390KB

MD5
65607330953575adbdc695c97a2ad43a

SHA1
8d91528bf5e1a2e489caf46449ed890456f2bfc7

SHA256
d47e1a80623c3c06e6e253242033087617c3d572a6d8578f759a1758def88353

SHA512
b5e59c143a7c0d56a58aafce683870e9f0cfa247a6be6fb640afe69950ec073b772170cf0c3b66334f051b8bdcfd5683f08f34710ca5ec8b2be43095706f47b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
390KB

MD5
65607330953575adbdc695c97a2ad43a

SHA1
8d91528bf5e1a2e489caf46449ed890456f2bfc7

SHA256
d47e1a80623c3c06e6e253242033087617c3d572a6d8578f759a1758def88353

SHA512
b5e59c143a7c0d56a58aafce683870e9f0cfa247a6be6fb640afe69950ec073b772170cf0c3b66334f051b8bdcfd5683f08f34710ca5ec8b2be43095706f47b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
390KB

MD5
65607330953575adbdc695c97a2ad43a

SHA1
8d91528bf5e1a2e489caf46449ed890456f2bfc7

SHA256
d47e1a80623c3c06e6e253242033087617c3d572a6d8578f759a1758def88353

SHA512
b5e59c143a7c0d56a58aafce683870e9f0cfa247a6be6fb640afe69950ec073b772170cf0c3b66334f051b8bdcfd5683f08f34710ca5ec8b2be43095706f47b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si280222.exe

Filesize
390KB

MD5
65607330953575adbdc695c97a2ad43a

SHA1
8d91528bf5e1a2e489caf46449ed890456f2bfc7

SHA256
d47e1a80623c3c06e6e253242033087617c3d572a6d8578f759a1758def88353

SHA512
b5e59c143a7c0d56a58aafce683870e9f0cfa247a6be6fb640afe69950ec073b772170cf0c3b66334f051b8bdcfd5683f08f34710ca5ec8b2be43095706f47b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si280222.exe

Filesize
390KB

MD5
65607330953575adbdc695c97a2ad43a

SHA1
8d91528bf5e1a2e489caf46449ed890456f2bfc7

SHA256
d47e1a80623c3c06e6e253242033087617c3d572a6d8578f759a1758def88353

SHA512
b5e59c143a7c0d56a58aafce683870e9f0cfa247a6be6fb640afe69950ec073b772170cf0c3b66334f051b8bdcfd5683f08f34710ca5ec8b2be43095706f47b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un050623.exe

Filesize
763KB

MD5
d287525e96571027ea87e7bbc43e9a98

SHA1
7ff58e575109dd88f52ea424c3c6e71556a68631

SHA256
c022f488d42a51a2b5810881247334bc2d1df15041de7a99a844875e36262f83

SHA512
ade5761b251d00a55e65a3bf7f4536baf6c4e63f526abce3619cbbd6bd742f089ad7918f3cc44f42e42d5d5d5c1943a17a56a1275c170af9cca125c444f03d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un050623.exe

Filesize
763KB

MD5
d287525e96571027ea87e7bbc43e9a98

SHA1
7ff58e575109dd88f52ea424c3c6e71556a68631

SHA256
c022f488d42a51a2b5810881247334bc2d1df15041de7a99a844875e36262f83

SHA512
ade5761b251d00a55e65a3bf7f4536baf6c4e63f526abce3619cbbd6bd742f089ad7918f3cc44f42e42d5d5d5c1943a17a56a1275c170af9cca125c444f03d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk439675.exe

Filesize
137KB

MD5
3bc01205cb896f5f522b7cc9155d761f

SHA1
895f24d871dd5465cd3577f8ac7e1aec15e60dd9

SHA256
24e19ae5168d97bccc6d509b95fca66da4c7c67e8173fdb3207cccdc45a82b72

SHA512
11b6a083af5ae8aea6a1f1498dbefec58d6addf0ef17138cdc43db39be64379460b124e97928ad9ee3c883478abb19c92b71a9f0e86ee18f36de0bf65c11d361

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk439675.exe

Filesize
137KB

MD5
3bc01205cb896f5f522b7cc9155d761f

SHA1
895f24d871dd5465cd3577f8ac7e1aec15e60dd9

SHA256
24e19ae5168d97bccc6d509b95fca66da4c7c67e8173fdb3207cccdc45a82b72

SHA512
11b6a083af5ae8aea6a1f1498dbefec58d6addf0ef17138cdc43db39be64379460b124e97928ad9ee3c883478abb19c92b71a9f0e86ee18f36de0bf65c11d361

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un611963.exe

Filesize
608KB

MD5
cc6239f3cd59f9e6d99707837f18413a

SHA1
723d6a60c4acc4c0413765200a1c09a9427b064f

SHA256
e58ba7b479c84d2ebf26bb24f5d077e304875e3ab23d579ff28703d20f066dc0

SHA512
66f1859a5ca7257d1e3d58cc379d9f6a4b95d4e6e91152342dcce5cfff5585d95f54a3d3176ae4069bd1cd273c22c6972e3837f97c5df447cd8922829cd9da50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un611963.exe

Filesize
608KB

MD5
cc6239f3cd59f9e6d99707837f18413a

SHA1
723d6a60c4acc4c0413765200a1c09a9427b064f

SHA256
e58ba7b479c84d2ebf26bb24f5d077e304875e3ab23d579ff28703d20f066dc0

SHA512
66f1859a5ca7257d1e3d58cc379d9f6a4b95d4e6e91152342dcce5cfff5585d95f54a3d3176ae4069bd1cd273c22c6972e3837f97c5df447cd8922829cd9da50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr287976.exe

Filesize
399KB

MD5
5da3be5a707405b1269de73533babe57

SHA1
a61b7e0a34c309c794d563187366ac3d7c742f26

SHA256
29576f086a0ae78d1bb8ab66d62bd53d8fc4306e74a8f537796250b27c96ae24

SHA512
0265119d31dadf6708631ca3b6da31d95aab63c252ce4465821d62c9b5ac414f09b4004830bde1a85b72af06715080b6cbc705559b501582e8d0622db4bbc776

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr287976.exe

Filesize
399KB

MD5
5da3be5a707405b1269de73533babe57

SHA1
a61b7e0a34c309c794d563187366ac3d7c742f26

SHA256
29576f086a0ae78d1bb8ab66d62bd53d8fc4306e74a8f537796250b27c96ae24

SHA512
0265119d31dadf6708631ca3b6da31d95aab63c252ce4465821d62c9b5ac414f09b4004830bde1a85b72af06715080b6cbc705559b501582e8d0622db4bbc776

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu885613.exe

Filesize
481KB

MD5
4e1673a04ea46f39222f70f9273095da

SHA1
8fa422c9ba66cc62b0a3033e4f6ba2d166525813

SHA256
2e9cd2357efc8404f12f8ecea64fc783b24ad1a7dd40a4eda740a14a5ef60b50

SHA512
a44ba338ffb6819600c570be708f1ea0809045dc7d622a8af0398402cc01ae3136f3a09f5d7fac71afd184fa50e1570f3968566b283856836db5fcc7a5755df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu885613.exe

Filesize
481KB

MD5
4e1673a04ea46f39222f70f9273095da

SHA1
8fa422c9ba66cc62b0a3033e4f6ba2d166525813

SHA256
2e9cd2357efc8404f12f8ecea64fc783b24ad1a7dd40a4eda740a14a5ef60b50

SHA512
a44ba338ffb6819600c570be708f1ea0809045dc7d622a8af0398402cc01ae3136f3a09f5d7fac71afd184fa50e1570f3968566b283856836db5fcc7a5755df8

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/988-999-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/988-514-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/988-1005-0x0000000008FE0000-0x000000000950C000-memory.dmp

Filesize
5.2MB

Download
memory/988-1004-0x0000000008E10000-0x0000000008FD2000-memory.dmp

Filesize
1.8MB

Download
memory/988-1003-0x0000000002860000-0x00000000028B0000-memory.dmp

Filesize
320KB

Download
memory/988-1002-0x0000000008CE0000-0x0000000008CFE000-memory.dmp

Filesize
120KB

Download
memory/988-1001-0x0000000008C40000-0x0000000008CB6000-memory.dmp

Filesize
472KB

Download
memory/988-1000-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/988-998-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/988-997-0x00000000080C0000-0x00000000080FC000-memory.dmp

Filesize
240KB

Download
memory/988-996-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/988-995-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/988-198-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-199-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-201-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-203-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-205-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-207-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-209-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-211-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-213-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-215-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-217-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-219-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-221-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-223-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-225-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-227-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-229-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-231-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/988-513-0x00000000023A0000-0x00000000023E6000-memory.dmp

Filesize
280KB

Download
memory/988-994-0x00000000078C0000-0x0000000007ED8000-memory.dmp

Filesize
6.1MB

Download
memory/988-516-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/988-518-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1696-1018-0x00000000009A0000-0x00000000009DB000-memory.dmp

Filesize
236KB

Download
memory/2724-1011-0x00000000004C0000-0x00000000004E8000-memory.dmp

Filesize
160KB

Download
memory/2724-1012-0x00000000075E0000-0x00000000075F0000-memory.dmp

Filesize
64KB

Download
memory/4504-190-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4504-173-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-181-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4504-191-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4504-186-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4504-188-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4504-179-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-180-0x0000000000AB0000-0x0000000000ADD000-memory.dmp

Filesize
180KB

Download
memory/4504-184-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4504-177-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-175-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-193-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4504-187-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-192-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4504-171-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-183-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-169-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-167-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-165-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-163-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-161-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-159-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-157-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-156-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4504-155-0x0000000004F70000-0x0000000005514000-memory.dmp

Filesize
5.6MB

Download