amadey | c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2023, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007.exe
Size

982KB
MD5

8bf6680d188c85979ce38d626e11b581
SHA1

46e983d7224a651ae6fdb22897937d702eed46ad
SHA256

c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007
SHA512

86f72b49bc995749a2289b405c59699feb39296366f57cb5909c2484d9cc1adbca6d2edfb388c3294e06de702ccc11ae34d3b91e52591036482303571e66ea8e
SSDEEP

24576:HyVgxqq0L8Xt5ZBs0h8O6PITos4sNeKkT/:SV8l0LWt5Zv3f8AMKs

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr317743.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr317743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr317743.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr317743.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr317743.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr317743.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	si374340.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 8 IoCs

pid	Process
2836	un575745.exe
496	un890531.exe
460	pr317743.exe
3580	qu692946.exe
2688	rk792188.exe
2032	si374340.exe
3492	oneetx.exe
4244	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
448	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr317743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr317743.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un575745.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un890531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un890531.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un575745.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
1964	460	WerFault.exe	86
1048	3580	WerFault.exe	95
412	2032	WerFault.exe	100
4712	2032	WerFault.exe	100
4524	2032	WerFault.exe	100
3596	2032	WerFault.exe	100
1736	2032	WerFault.exe	100
4352	2032	WerFault.exe	100
2360	2032	WerFault.exe	100
3880	2032	WerFault.exe	100
3384	2032	WerFault.exe	100
608	2032	WerFault.exe	100
2088	3492	WerFault.exe	120
2092	3492	WerFault.exe	120
4392	3492	WerFault.exe	120
1976	3492	WerFault.exe	120
4404	3492	WerFault.exe	120
1548	3492	WerFault.exe	120
2912	3492	WerFault.exe	120
1148	3492	WerFault.exe	120
4388	3492	WerFault.exe	120
208	3492	WerFault.exe	120
1308	3492	WerFault.exe	120
2328	3492	WerFault.exe	120
3936	3492	WerFault.exe	120
1844	3492	WerFault.exe	120
4756	3492	WerFault.exe	120
2600	4244	WerFault.exe	156
4980	3492	WerFault.exe	120

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
460	pr317743.exe
460	pr317743.exe
3580	qu692946.exe
3580	qu692946.exe
2688	rk792188.exe
2688	rk792188.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	pr317743.exe
Token: SeDebugPrivilege	3580	qu692946.exe
Token: SeDebugPrivilege	2688	rk792188.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2032	si374340.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 2836	64	c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007.exe	84
PID 64 wrote to memory of 2836	64	c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007.exe	84
PID 64 wrote to memory of 2836	64	c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007.exe	84
PID 2836 wrote to memory of 496	2836	un575745.exe	85
PID 2836 wrote to memory of 496	2836	un575745.exe	85
PID 2836 wrote to memory of 496	2836	un575745.exe	85
PID 496 wrote to memory of 460	496	un890531.exe	86
PID 496 wrote to memory of 460	496	un890531.exe	86
PID 496 wrote to memory of 460	496	un890531.exe	86
PID 496 wrote to memory of 3580	496	un890531.exe	95
PID 496 wrote to memory of 3580	496	un890531.exe	95
PID 496 wrote to memory of 3580	496	un890531.exe	95
PID 2836 wrote to memory of 2688	2836	un575745.exe	99
PID 2836 wrote to memory of 2688	2836	un575745.exe	99
PID 2836 wrote to memory of 2688	2836	un575745.exe	99
PID 64 wrote to memory of 2032	64	c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007.exe	100
PID 64 wrote to memory of 2032	64	c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007.exe	100
PID 64 wrote to memory of 2032	64	c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007.exe	100
PID 2032 wrote to memory of 3492	2032	si374340.exe	120
PID 2032 wrote to memory of 3492	2032	si374340.exe	120
PID 2032 wrote to memory of 3492	2032	si374340.exe	120
PID 3492 wrote to memory of 756	3492	oneetx.exe	137
PID 3492 wrote to memory of 756	3492	oneetx.exe	137
PID 3492 wrote to memory of 756	3492	oneetx.exe	137
PID 3492 wrote to memory of 448	3492	oneetx.exe	153
PID 3492 wrote to memory of 448	3492	oneetx.exe	153
PID 3492 wrote to memory of 448	3492	oneetx.exe	153

C:\Users\Admin\AppData\Local\Temp\c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007.exe
"C:\Users\Admin\AppData\Local\Temp\c6c0f5292f65ee5eee9106788fd2f621a3a2c24d460ddcabad5a53308692a007.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:64
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un575745.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un575745.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un890531.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un890531.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:496
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr317743.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr317743.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 1084
        5⤵
        Program crash
        
        PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu692946.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu692946.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1324
        5⤵
        Program crash
        
        PID:1048
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk792188.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk792188.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si374340.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si374340.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 712
    3⤵
    - Program crash
    PID:412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 768
    3⤵
    - Program crash
    PID:4712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 860
    3⤵
    - Program crash
    PID:4524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 868
    3⤵
    - Program crash
    PID:3596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 976
    3⤵
    - Program crash
    PID:1736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 976
    3⤵
    - Program crash
    PID:4352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1220
    3⤵
    - Program crash
    PID:2360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1236
    3⤵
    - Program crash
    PID:3880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1320
    3⤵
    - Program crash
    PID:3384
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 708
      4⤵
      Program crash
      PID:2088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 840
      4⤵
      Program crash
      PID:2092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 892
      4⤵
      Program crash
      PID:4392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1056
      4⤵
      Program crash
      PID:1976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1076
      4⤵
      Program crash
      PID:4404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1076
      4⤵
      Program crash
      PID:1548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1112
      4⤵
      Program crash
      PID:2912
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 996
      4⤵
      Program crash
      PID:1148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1304
      4⤵
      Program crash
      PID:4388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1340
      4⤵
      Program crash
      PID:208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1328
      4⤵
      Program crash
      PID:1308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1436
      4⤵
      Program crash
      PID:2328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1068
      4⤵
      Program crash
      PID:3936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1624
      4⤵
      Program crash
      PID:1844
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1632
      4⤵
      Program crash
      PID:4756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1644
      4⤵
      Program crash
      PID:4980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1376
    3⤵
    - Program crash
    PID:608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 460 -ip 460
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3580 -ip 3580
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2032 -ip 2032
1⤵
PID:580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2032 -ip 2032
1⤵
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2032 -ip 2032
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2032 -ip 2032
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2032 -ip 2032
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2032 -ip 2032
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2032 -ip 2032
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2032 -ip 2032
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2032 -ip 2032
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2032 -ip 2032
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3492 -ip 3492
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3492 -ip 3492
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3492 -ip 3492
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3492 -ip 3492
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3492 -ip 3492
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3492 -ip 3492
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3492 -ip 3492
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3492 -ip 3492
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3492 -ip 3492
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3492 -ip 3492
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3492 -ip 3492
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3492 -ip 3492
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3492 -ip 3492
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3492 -ip 3492
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3492 -ip 3492
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 424
  2⤵
  - Program crash
  PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4244 -ip 4244
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3492 -ip 3492
1⤵
PID:2452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
246KB

MD5
ba8cd6d53321a95797c9889476bb7860

SHA1
f6b5bcca39ef1522d18338b11ddbca21036d56d4

SHA256
c9c7855700f7248273687aeb7f45bbf45c67e363d43bb0e8c0bb916aeda27f31

SHA512
e3161ed75091a16e58354d2565e951929c194b695df3eef84973fcba57f6460c68d84ebf1daf6a5f1085efbd1449fe44588aeac5b43a5e8ebb74cc310aaea824

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
246KB

MD5
ba8cd6d53321a95797c9889476bb7860

SHA1
f6b5bcca39ef1522d18338b11ddbca21036d56d4

SHA256
c9c7855700f7248273687aeb7f45bbf45c67e363d43bb0e8c0bb916aeda27f31

SHA512
e3161ed75091a16e58354d2565e951929c194b695df3eef84973fcba57f6460c68d84ebf1daf6a5f1085efbd1449fe44588aeac5b43a5e8ebb74cc310aaea824

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
246KB

MD5
ba8cd6d53321a95797c9889476bb7860

SHA1
f6b5bcca39ef1522d18338b11ddbca21036d56d4

SHA256
c9c7855700f7248273687aeb7f45bbf45c67e363d43bb0e8c0bb916aeda27f31

SHA512
e3161ed75091a16e58354d2565e951929c194b695df3eef84973fcba57f6460c68d84ebf1daf6a5f1085efbd1449fe44588aeac5b43a5e8ebb74cc310aaea824

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
246KB

MD5
ba8cd6d53321a95797c9889476bb7860

SHA1
f6b5bcca39ef1522d18338b11ddbca21036d56d4

SHA256
c9c7855700f7248273687aeb7f45bbf45c67e363d43bb0e8c0bb916aeda27f31

SHA512
e3161ed75091a16e58354d2565e951929c194b695df3eef84973fcba57f6460c68d84ebf1daf6a5f1085efbd1449fe44588aeac5b43a5e8ebb74cc310aaea824

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si374340.exe

Filesize
246KB

MD5
ba8cd6d53321a95797c9889476bb7860

SHA1
f6b5bcca39ef1522d18338b11ddbca21036d56d4

SHA256
c9c7855700f7248273687aeb7f45bbf45c67e363d43bb0e8c0bb916aeda27f31

SHA512
e3161ed75091a16e58354d2565e951929c194b695df3eef84973fcba57f6460c68d84ebf1daf6a5f1085efbd1449fe44588aeac5b43a5e8ebb74cc310aaea824

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si374340.exe

Filesize
246KB

MD5
ba8cd6d53321a95797c9889476bb7860

SHA1
f6b5bcca39ef1522d18338b11ddbca21036d56d4

SHA256
c9c7855700f7248273687aeb7f45bbf45c67e363d43bb0e8c0bb916aeda27f31

SHA512
e3161ed75091a16e58354d2565e951929c194b695df3eef84973fcba57f6460c68d84ebf1daf6a5f1085efbd1449fe44588aeac5b43a5e8ebb74cc310aaea824

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un575745.exe

Filesize
708KB

MD5
8dd0dd19db3eaad961884fd5daa5e031

SHA1
3dd469f4a41dcf43724d56fe7da005d1964d01de

SHA256
5b5a26497bddd85ee12987b2237e5f0764ad4cf30b3ebe6f33846f1ba9b5bda9

SHA512
4fb1fa01af5369ab0588e03fd7b37c5ee183c5440a3e7967b885c62baabad3c9f69af0e3516bf9bd547b6b015fa8a4181af959ae1f4444718a5f20451149bc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un575745.exe

Filesize
708KB

MD5
8dd0dd19db3eaad961884fd5daa5e031

SHA1
3dd469f4a41dcf43724d56fe7da005d1964d01de

SHA256
5b5a26497bddd85ee12987b2237e5f0764ad4cf30b3ebe6f33846f1ba9b5bda9

SHA512
4fb1fa01af5369ab0588e03fd7b37c5ee183c5440a3e7967b885c62baabad3c9f69af0e3516bf9bd547b6b015fa8a4181af959ae1f4444718a5f20451149bc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk792188.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk792188.exe

Filesize
136KB

MD5
359db2338ae0f977dcf10e90cf9816fb

SHA1
94126cb670e5f434e555c991c967e0ee98fae552

SHA256
5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

SHA512
d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un890531.exe

Filesize
554KB

MD5
1bd39567df32708fee7a788ad8d97c3b

SHA1
17cb9f0491b6668ae0f62004319f9f6f3bced03e

SHA256
d5f0c527754da9e4ebf6a5d1a0f54e89ed6eb61bdc409eb12dc81cdfb667bde9

SHA512
db2574e77eeb089c1d47026a17f0967869d188efda3b6684adb7f7a1c6aac59df27a8cf669d8b1b016fca5cdaafea5df3a48d302452bf14dee4639c94c2bb0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un890531.exe

Filesize
554KB

MD5
1bd39567df32708fee7a788ad8d97c3b

SHA1
17cb9f0491b6668ae0f62004319f9f6f3bced03e

SHA256
d5f0c527754da9e4ebf6a5d1a0f54e89ed6eb61bdc409eb12dc81cdfb667bde9

SHA512
db2574e77eeb089c1d47026a17f0967869d188efda3b6684adb7f7a1c6aac59df27a8cf669d8b1b016fca5cdaafea5df3a48d302452bf14dee4639c94c2bb0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr317743.exe

Filesize
254KB

MD5
6b4163872799bfd5a3f50e3d6b7eb6d3

SHA1
cfe4d5d97e52367955610707361b9d00001cc381

SHA256
d5e73c08d55eb228d5600a39c5f3955d6f32b09502878aae12156a0ca71d99cf

SHA512
4bc32e46cc1c4cd6c27a5f96915a748d6759f9d5054b87b79f417be67209b42efcaeb41be7efafeb9cdebeb1a8c87f91d325cabfb336ff503fc1cc772248d769

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr317743.exe

Filesize
254KB

MD5
6b4163872799bfd5a3f50e3d6b7eb6d3

SHA1
cfe4d5d97e52367955610707361b9d00001cc381

SHA256
d5e73c08d55eb228d5600a39c5f3955d6f32b09502878aae12156a0ca71d99cf

SHA512
4bc32e46cc1c4cd6c27a5f96915a748d6759f9d5054b87b79f417be67209b42efcaeb41be7efafeb9cdebeb1a8c87f91d325cabfb336ff503fc1cc772248d769

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu692946.exe

Filesize
337KB

MD5
e15c0fa187e291ba7eb9d0ed5b478919

SHA1
57a5b286314ef290a4376a83fb7c314c47f29f5b

SHA256
8c49ae33c911c6f282bb4ac6083557b843ac21e41f7db432742a24f7ef1bde85

SHA512
f05f918c49932a42760c4032076047bdcb52888bd35f48f04ff460da7da49839686ca690fe5adb6847626fb7bf301482ad01fce53321e0cf1a5659c1f9d8ac40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu692946.exe

Filesize
337KB

MD5
e15c0fa187e291ba7eb9d0ed5b478919

SHA1
57a5b286314ef290a4376a83fb7c314c47f29f5b

SHA256
8c49ae33c911c6f282bb4ac6083557b843ac21e41f7db432742a24f7ef1bde85

SHA512
f05f918c49932a42760c4032076047bdcb52888bd35f48f04ff460da7da49839686ca690fe5adb6847626fb7bf301482ad01fce53321e0cf1a5659c1f9d8ac40

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/460-157-0x0000000004BA0000-0x0000000005144000-memory.dmp

Filesize
5.6MB

Download
memory/460-192-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/460-175-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-177-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-179-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-181-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-183-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-185-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-186-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/460-187-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/460-188-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/460-189-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/460-191-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/460-173-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-193-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/460-171-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-169-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-167-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-165-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-163-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-161-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-159-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-158-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/460-155-0x0000000000610000-0x000000000063D000-memory.dmp

Filesize
180KB

Download
memory/460-156-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/2032-1017-0x0000000000550000-0x000000000058B000-memory.dmp

Filesize
236KB

Download
memory/2688-1010-0x00000000000B0000-0x00000000000D8000-memory.dmp

Filesize
160KB

Download
memory/2688-1011-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3580-207-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-225-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-227-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-229-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-231-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-279-0x0000000000760000-0x00000000007A6000-memory.dmp

Filesize
280KB

Download
memory/3580-280-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3580-282-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3580-993-0x0000000007640000-0x0000000007C58000-memory.dmp

Filesize
6.1MB

Download
memory/3580-994-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/3580-995-0x0000000007C60000-0x0000000007D6A000-memory.dmp

Filesize
1.0MB

Download
memory/3580-996-0x0000000007D70000-0x0000000007DAC000-memory.dmp

Filesize
240KB

Download
memory/3580-997-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3580-998-0x0000000008060000-0x00000000080C6000-memory.dmp

Filesize
408KB

Download
memory/3580-999-0x0000000008730000-0x00000000087C2000-memory.dmp

Filesize
584KB

Download
memory/3580-1000-0x00000000088E0000-0x0000000008956000-memory.dmp

Filesize
472KB

Download
memory/3580-1001-0x0000000008990000-0x00000000089AE000-memory.dmp

Filesize
120KB

Download
memory/3580-1002-0x0000000008A50000-0x0000000008AA0000-memory.dmp

Filesize
320KB

Download
memory/3580-223-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-221-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-219-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-217-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-215-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-213-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-211-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-209-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-205-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-203-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-201-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-198-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-199-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/3580-1003-0x0000000008AC0000-0x0000000008C82000-memory.dmp

Filesize
1.8MB

Download
memory/3580-1004-0x0000000008C90000-0x00000000091BC000-memory.dmp

Filesize
5.2MB

Download
memory/4244-1057-0x0000000001FD0000-0x000000000200B000-memory.dmp

Filesize
236KB

Download